0
我需要將UNIX時間戳字段的值寫入@timestamp,以便我可以正確地爲通過logstash流動的數據建立索引,我有這部分工作。不過我也有要求@timestamp的值應該是插入時間。爲此,我製作了一個臨時字段,其中包含@timestamp的原始值。在LogStash中寫入@timestamp
以下是我與合作:
filter {
csv {
separator => " " # <- this white space is actually a tab, don't change it, it's already perfect
skip_empty_columns => true
columns => ["timestamp", ...]
}
# works just fine
mutate {
add_field => {
"tmp" => "%{@timestamp}"
}
}
# works just fine
date {
match => ["timestamp", "UNIX"]
target => "@timestamp"
}
# this works too
mutate {
add_field => {
"[@metadata][indexDate]" => "%{+YYYY-MM-dd}"
}
}
# @timestamp is not being set back to its original value
date {
match => ["tmp", "UNIX"]
target => "@timestamp"
}
# works just fine
mutate {
remove_field => ["tmp"]
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
# this works
index => "indexname-%{[@metadata][indexDate]}"
}
}
的問題是在這裏:
date {
match => ["tmp", "UNIX"]
target => "@timestamp"
}
@timestamp沒有被設置回其原始值。當我檢查數據時,它具有與timestamp字段相同的值。
你能簡單地刪除'目標=> ...'通常'@ timestamp'字段將被默認選中。 – Val
我剛剛嘗試過,先在問題區域,然後在兩個地方。 '@ timestamp'仍然保存'timestamp'的值。 – robbmj