Logstash無法識別登錄時間

Question

我是新來的ELK閱讀文檔後棧但我仍然無法得到logstash認識到自定義時間

日誌看起來是這樣

2014-11-30 03:30:01.000118,122.99.34.242,123.56.212.1,44,u,q,NA,0  ? a.root-servers.net A 

我logstash過濾器是這個

filter { 
    date { 
      #2014-11-30 03:30:01.000118,122.99.34.242,123.56.212.1,44,u,q,NA,0  ? a.root-servers.net A 
      match => ["timestamp" , "YYYY-MM-dd HH:mm:ss"] 
      locale => "en" 
    } 
} 

但是當我運行它，雖然這個配置文件通過與日誌文件它不出現識別匹配我有定義

{ 
    "message" => "2014-11-30 03:30:01.011895,123.52.36.153,213.55.121.1,55,u,q,NA,0\t? mobile-collector.newrelic.com A\t", 
    "@version" => "1", 
"@timestamp" => "2014-12-03T03:09:49.857Z", 
     "type" => "syslog", 
     "host" => "0.0.0.0", 
     "path" => "/var/log/dns/2014-11-30_0335_dnsparse.log" 
} 

我跑「logstash 1.4.2改性」

爲了完整這裏是我的整個logstash配置

input { 
    file { 
      path => "/var/log/dns/*.log" 
      type => "dns_parselog" 
      start_position => beginning 
    } 
} 

filter { 
    date { 
      #2014-11-30 03:30:01.000118,122.99.34.242,123.56.212.1,44,u,q,NA,0  ? a.root-servers.net A 
      match => ["timestamp" , "YYYY-MM-dd HH:mm:ss"] 
      locale => "en" 
    } 
} 
output { 
    elasticsearch { 
      host => localhost 
    } 
    stdout { codec => rubydebug } 
} 

Answer 1

你問日期過濾器解析了一場名爲「時間戳」，但沒有這樣的字段。首先將消息中的時間戳提取到單獨的字段，然後使用日期過濾器。

filter { 
    grok { 
    match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"] 
    } 
    date { 
    match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSSSSS"] 
    remove_field => ["timestamp"] 
    } 
} 

您需要向grok表達式添加其他模式以提取附加字段，但這不在此問題的範圍之內。