elasticsearch - 如何将我自己的字段值设置为@timestamp?(日志存储)
问题描述
我正在尝试使用我自己的字段值设置@timestamp,但我只有不好的结果,带有标签“_dataparsefailure”。我是新手,我不知道我错了什么。有人可以帮助我吗?(对不起我的英语不好,我是意大利人:))
2021-06-22 09:06:59,041 -----> 这是我的数据时间格式
下面是代码
filter {
...... (some disssect) ....
aggregate {
task_id => "%{breadcrumbId}_%{ID}"
code => '
map["Inbound_time"] ||= event.get("[Inbound][time]")
map["Inbound_log_level"] ||= event.get("[Inbound][log][level]")
map["Inbound_operation_name"] ||= event.get("[Inbound][operation][name]")
map["Inbound_flow"] ||= event.get("[Inbound][flow]")
map["Inbound_message"] ||= event.get("[Inbound][message]")
map["Inbound_payload"] ||= event.get("[Inbound][payload]")
map["ID"] ||= event.get("ID")
map["Outbound_time"] ||= event.get("[Outbound][time]")
map["Outbound_log_level"] ||= event.get("[Outbound][log][level]")
map["Outbound_operation_name"] ||= event.get("[Outbound][operation][name]")
map["Outbound_flow"] ||= event.get("[Outbound][flow]")
map["Outbound_message"] ||= event.get("[Outbound][message]")
map["Outbound_payload"] ||= event.get("[Outbound][payload]")
map["event_original"] ||= event.get("[event][original]")
map["breadcrumbId"] ||= event.get("breadcrumbId")
map["BPOCO"] ||= event.get("BPOCO")
map["OrderID"] ||= event.get("OrderID")
map["QuoteID"] ||= event.get("QuoteID")
map["ServiceID"] ||= event.get("ServiceID")
map["Prodotto"] ||= event.get("Prodotto")
map["faultString"] ||= event.get("faultString")
map["Mobile/NotMobile"] ||= event.get("Mobile/NotMobile")
map["SOAP_action"] ||= event.get("[SOAP][action]")
event.cancel
'
push_map_as_event_on_timeout => true
timeout => 10
}
mutate {
copy => { "Outbound_time" => "times" }
}
mutate {
convert => {"times" => "string" }
}
date {
match => ["times", "YYYY-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}
}
解决方案
根据这个源日期过滤器
yyyy
full year number. Example: 2015.
你的过滤器是
date {
match => ["times", "YYYY-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}
你可能想把它改成
date {
match => ["times", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "@timestamp"
}