ELK——Logstash 2.2 date 插件【翻译+实践】
本文内容
- 语法
- 测试数据
- 可配置选项
- 参考资料
date 插件是日期插件,这个插件,常用而重要。
如果不用 date 插件,那么 Logstash 将处理时间作为时间戳。时间戳字段是 Logstash 自己添加的内置字段 @timestamp,在ES中关于时间的相关查询,必须使用该字段,你当然也可以修改该字段的值。
迁移到:http://www.bdata-cap.com/newsinfo/1712677.html
语法
该插件必须是用 date 包裹,如下所示:
date {
}
可用的配置选项如下表所示:
| 设置 | 输入类型 | 是否为必填 | 默认值 |
| add_field | hash | No | {} |
| add_tag | array | No | [] |
| locale | string | No | |
| match | array | No | [] |
| periodic_flush | boolean | No | false |
| remove_field | array | No | [] |
| remove_tag | array | No | [] |
| tag_on_failure | array | No | ["_dateparsefailure"] |
| target | string | No | "@timestamp" |
| timezone | string | No |
其中,add_field、remove_field、add_tag、remove_tag 是所有 Logstash 插件都有。它们在插件过滤成功后生效。这四个选项不多说。参见 ELK——Logstash 2.2 mutate 插件。
测试数据
假设有 Tomcat access 日志:
192.168.6.25 - - [24/Apr/2016:01:25:53 +0800] GET "/goLogin" "" 8080 200 1692 23 "http://10.1.8.193:8080/goMain" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"
192.168.6.25 - - [24/Apr/2016:01:25:53 +0800] GET "/js/common/jquery-1.10.2.min.js" "" 8080 304 - 67 "http://10.1.8.193:8080/goLogin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"
192.168.6.25 - - [24/Apr/2016:01:25:53 +0800] GET "/css/common/login.css" "" 8080 304 - 75 "http://10.1.8.193:8080/goLogin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"
192.168.6.25 - - [24/Apr/2016:01:25:53 +0800] GET "/js/system/login.js" "" 8080 304 - 53 "http://10.1.8.193:8080/goLogin" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0"
它是按如下 Tomcat 配置产生的:
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t %m "%U" "%q" %p %s %b %D "%{Referer}i" "%{User-Agent}i"" />
若用如下 Grok 表达式解析该日志:
%{IPORHOST:clientip} %{NOTSPACE:identd} %{NOTSPACE:auth} \[%{HTTPDATE:timestamp}\] %{WORD:http_method} %{NOTSPACE:request} %{NOTSPACE:request_query|-} %{NUMBER:port} %{NUMBER:statusCode} (%{NOTSPACE:bytes}|-) %{NUMBER:reqTime} %{QS:referer} %{QS:userAgent}
会得到如下结果:
{
"message" => "192.168.6.25 - - [24/Apr/2016:01:25:53 +0800] GET \"/goLogin\" \"\" 8080 200 1692 23 \"http://10.1.8.193:8080/goMain\" \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0\"",
"@version" => "1",
"@timestamp" => "2016-05-17T08:26:07.794Z",
"host" => "vcyber",
"clientip" => "192.168.6.25",
"identd" => "-",
"auth" => "-",
"timestamp" => "24/Apr/2016:01:25:53 +0800",
"http_method" => "GET",
"request" => "\"/goLogin\"",
"request_query" => "\"\"",
"port" => "8080",
"statusCode" => "200",
"bytes" => "1692",
"reqTime" => "23",
"referer" => "\"http://10.1.8.193:8080/goMain\"",
"userAgent" => "\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0\""
}
注意,简单起见,日志拆分到各个字段后的数据类型全是字符串。
可配置选项
match
- 值是数组 array
- 默认值为
[]
The date formats allowed are anything allowed by Joda-Time (java time library). You can see the docs for this format here:
joda.time.format.DateTimeFormat
An array with field name first, and format patterns following, [ field, formats... ]
如果你的时间字段可能有多个格式,则可指定多个可能的日期格式:
match => [ "timestamp", "MMM dd YYY HH:mm:ss", "MMM d YYY HH:mm:ss", "ISO8601" ]
Logstash 支持四种日期格式:
ISO8601- should parse any valid ISO8601 timestamp, such as2011-04-19T03:44:01.103ZUNIX- will parse float or int value expressing unix time in seconds since epoch like 1326149001.132 as well as 1326149001UNIX_MS- will parse int value expressing unix time in milliseconds since epoch like 1366125117000TAI64N- will parse tai64n time values
例如,如果你有时间字段 timestamp,可能是 Aug 13 2010 00:03:44,你应该使用如下配置:
filter {
date {
match => [ "logdate", "MMM dd YYYY HH:mm:ss" ]
}
}
如果字段是嵌套结构,那么你可以使用嵌套语法(nested syntax) [foo][bar] 来匹配值。更多信息,参考 the section called “Field Referencesedit”
periodic_flush
- 值是 boolean
- 默认值为
false
Call the filter flush method at regular interval. Optional.
tag_on_failure
- 值是 array
- 默认值为
["_dateparsefailure"]
Append values to the tags field when there has been no successful match
target
- 值是 string
- 默认值为
"@timestamp"
把 match 的时间字段保存到指定字段。若为指定,默认更新到 @timestamp。
示例:
input {
stdin {
}
}
filter {
grok {
match=>["message","%{IPORHOST:clientip} %{NOTSPACE:identd} %{NOTSPACE:auth} \[%{HTTPDATE:timestamp}\] %{WORD:http_method} %{NOTSPACE:request} %{NOTSPACE:request_query|-} %{NUMBER:port} %{NUMBER:statusCode} (%{NOTSPACE:bytes}|-) %{NUMBER:reqTime} %{QS:referer} %{QS:userAgent}"]
}
date {
match=>["timestamp","dd/MMM/yyyy:HH:mm:ss Z"]
target=>"@timestamp"
}
}
output{
stdout{
codec=>rubydebug
}
}
得到如下结果:
{
"message" => "}192.168.6.25 - - [24/Apr/2016:01:25:53 +0800] GET \"/goLogin\" \"\" 8080 200 1692 23 \"http://10.1.8.193:8080/goMain\" \"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0\"",
"@version" => "1",
"@timestamp" => "2016-04-23T17:25:53.000Z",
"host" => "vcyber",
"clientip" => "192.168.6.25",
"identd" => "-",
"auth" => "-",
"timestamp" => "24/Apr/2016:01:25:53 +0800",
"http_method" => "GET",
"request" => "\"/goLogin\"",
"request_query" => "\"\"",
"port" => "8080",
"statusCode" => "200",
"bytes" => "1692",
"reqTime" => "23",
"referer" => "\"http://10.1.8.193:8080/goMain\"",
"userAgent" => "\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0\""
}
timezone
- 值是 string
- 无默认值
Specify a time zone canonical ID to be used for date parsing. The valid IDs are listed on the Joda.org available time zones page. This is useful in case the time zone cannot be extracted from the value, and is not the platform default. If this is not specified the platform default will be used. Canonical ID is good as it takes care of daylight saving time for you For example, America/Los_Angeles or Europe/Paris are valid IDs. This field can be dynamic and include parts of the event using the %{field} syntax
ELK——Logstash 2.2 date 插件【翻译+实践】的更多相关文章
- ELK——Logstash 2.2 mutate 插件【翻译+实践】
官网地址 本文内容 语法 测试数据 可选配置项 mutate 插件可以在字段上执行变换,包括重命名.删除.替换和修改.这个插件相当常用. 比如: 你已经根据 Grok 表达式将 Tomcat 日志的内 ...
- logstash date插件介绍
时间处理(Date) 之前章节已经提过, filters/date 插件可以用来转换你的日志记录中的时间字符串,变成 LogStash::Timestamp 对象,然后转存到 @timestamp 字 ...
- [elk]logstash的grok匹配逻辑grok+date+mutate
重点参考: http://blog.csdn.net/qq1032355091/article/details/52953837 logstash的精髓: grok插件原理 date插件原理 kv插件 ...
- 导入旧数据需要 使用date插件
"@version" => "1", "@timestamp" => "2016-09-12T08:31:06.630 ...
- [elk]logstash的最佳实战-项目实战
重点参考: http://blog.csdn.net/qq1032355091/article/details/52953837 不得不说这是一个伟大的项目实战,是正式踏入logstash门槛的捷径 ...
- [elk]logstash grok原理
logstash语法 http://www.ttlsa.com/elk/elk-logstash-configuration-syntax/ https://www.elastic.co/guide/ ...
- ELK logstash 处理MySQL慢查询日志(初步)
写在前面:在做ELK logstash 处理MySQL慢查询日志的时候出现的问题: 1.测试数据库没有慢日志,所以没有日志信息,导致 IP:9200/_plugin/head/界面异常(忽然出现日志数 ...
- [elk]logstash统计api访问失败率
处理原始日志 日志从moogoo导出来的 { "mobile" : "13612345678", "isp" : "中国移动_广东 ...
- [elk]logstash&filebeat常用语句
filebeat安装dashboard 参考: https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-getting-star ...
随机推荐
- 巧用Javascript中的slice()
slice()是Javascript中Array的一个方法,定义是这样的. arrayObject.slice(start,end)作用是从原数组中从start到end位置截取出一个新的数组,返回值是 ...
- netbeans中实体类代码的bug
用了netbeans中实体类代码后,忽然报错: com.sun.tools.javac.code.Symbol$CompletionFailure: 找不到sun.util.logging.Platf ...
- JSONP跨域数据调用
引自:http://kb.cnblogs.com/page/139725/ Web页面上调用js文件时则不受是否跨域的影响(不仅如此,我们还发现凡是拥有”src”这个属性的标签都拥有跨域的能力,比如& ...
- WCF配置与服务寄宿
1.项目框架如下: 2.WCF服务项目 其中WCFService中存放服务契约及其实现,需添加命名空间:System.ServiceModel 3.服务寄宿 WCFHost是一个控制台程序,用于寄宿W ...
- hibernate 不识别union解决方法
问题: 一个表里有 1, 2 1, 3 2, 1 2, 4 现在要找第一位是1的第二位:2,3 和 第二位是1的第一位:2.然后去掉重复 ...
- day5----模块
1.定义 模块:用来从逻辑上组织python代码(变量,函数,类,运行逻辑:实现一个功能),本质就是.py结尾的python文件(文件名:test.py,对应的模块名:test) 包: ...
- 后台向前台输出 换行“\n”
MVC 中后台向前台输出 "\n"总是报错 因为后台向前台输出 "\n" 后,前台出现换行 eg: "这里是\n换行" var str=& ...
- MySQL 外键异常分析
外键约束异常现象 如下测例中,没有违反引用约束的插入失败. create database `a-b`; use `a-b`; SET FOREIGN_KEY_CHECKS=0; create tab ...
- iOS 重大新漏洞:可绕开苹果审核机制
iOS 是目前最为安全可靠的移动平台,但既然是软件就不会是无坚不摧的.乔治亚技术信息安全中心 (Georgia Tech Information Security Center)的研究员不久前声称,他 ...
- SQLite主键自增需要设置为integer PRIMARY KEY
按照正常的SQL语句,创建一个数据表,并设置主键是这样的语句: ), EventType )) 但使用这种办法,在SQLite中创建的的数据表,如果使用Insert语句插入记录,如下语句: INSER ...