Logstash和ElasticSearch過濾器日期@timestamp問題

Question

我試圖通過使用Logstash從文件索引一些數據到ElasticSearch。

如果我不在爲了更換@timestamp一切使用Date filter工作得非常好，但在利用濾波器​​我沒有得到所有的數據時。

我不明白爲什麼Logstash command line和Elasticsearch之間的@timestamp值之間的差異。

Logstash的conf

filter { 
    mutate { 
     replace => { 
      "type" => "dashboard_a" 
     } 
    } 
    grok { 
     match => [ "message", "%{DATESTAMP:Logdate} \[%{WORD:Severity}\] %{JAVACLASS:Class} %{GREEDYDATA:Stack}" ] 
    } 
    date {       
     match => [ "Logdate", "dd-MM-yyyy hh:mm:ss,SSS" ] 
    } 
} 

Logstash命令行跡

{ 
**"@timestamp" => "2014-08-26T08:16:18.021Z",** 
    "message" => "26-08-2014 11:16:18,021 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\r", 
    "@version" => "1", 
     "host" => "bts10d1", 
     "path" => "D:\\ElasticSearch\\logstash-1.4.2\\Dashboard_A\\Log_1\\6.log", 
     "type" => "dashboard_a", 
    "Logdate" => "26-08-2014 11:16:18,021", 
    "Severity" => "DEBUG", 
    "Class" => "com.fnx.snapshot.mdb.SnapshotMDB", 
    "Stack" => " - SnapshotMDB Ctor is called\r" 
    } 

ElasticSearch結果

{ 
    "_index": "logstash-2014.08.28", 
    "_type": "dashboard_a", 
    "_id": "-y23oNeLQs2mMbyz6oRyew", 
    "_score": 1, 
    "_source": { 
     **"@timestamp": "2014-08-28T14:31:38.753Z", 
     **"message": "15:07,565 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB Ctor is called\r", 
     "@version": "1", 
     "host": "bts10d1", 
     "path": "D:\\ElasticSearch\\logstash-1.4.2\\Dashboard_A\\Log_1\\6.log", 
     "type": "dashboard_a", 
     "tags": ["_grokparsefailure"] 
    } 
} 

Answer 1

請確保您的所有日誌都是格式化的！

您可以在logstash命令行中看到跟蹤日誌是

26-08-2014 11：16：18021 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB男星被稱爲\ [R

但是，在elastsicsearch日誌是

15：07565 [DEBUG] com.fnx.snapshot.mdb.SnapshotMDB - SnapshotMDB男星被稱爲\ R」，

兩個日誌有不同的時間和他們的格式不一樣！第二個沒有關於白天的任何信息，因此它會導致grok filter解析錯誤。你可以去檢查原始日誌。或者你可以提供原始日誌樣本進行更多討論，如果它們都是格式的話！