i have a field named "time",the format is just like "2018/05/02:08:22:23" , so i used a date filter, and the format is like following:
date {
match => ["time","yyyy/MM/dd:HH:mm:ss"]
targer =>"@timestamp"
}
there is no any _dateparsefailure in tags,but the timestamp didn't change,where is the problem
i have viewed the previous topic , but i didn't find the solution,i'll appreciate it if anyone who can help me~:grinning:
Please show an example event produced by Logstash. Use a stdout { codec => rubydebug } output.
The output is as follows:
{
"inter_id" => "134"
"module" => "0-PPE-1"
"messag" => "<134> 2018/05/08:02:06:05 GMT PH180I1-NC80LC02 0-PPE-1 : default tcp nat_conn_delink"
"type" =>"logs"
"tags" =>[
[0] "LC"
],
"hostname" =>"PH180I1-NC80LC02 "
"@timestamp"=>2018-05-07T18:06:05.000z,
"time" => "2018/05/05:02:06:05"
"info" => " default tcp nat_conn_delink""
}
Okay. And what does the complete configuration look like? Does the date filter come after the grok filter or whatever you're using the parse the message field?
of course ,the date filter is after grok, the full configuration of the filter is like:
filter {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match=>["message","INT:inter_id%{time:time} GMT %{HOSTNAME:hostname}%{URIHOST:module} :default %{event:event} %{INT:int1}:%{GREEDYDATE:info}"]
}
date {
match => ["time","yyyy/MM/dd:HH:mm:ss"]
target =>"@timestamp"
}
}
Um, wait. What's the timezone on the machine where you're running Logstash? UTC+8, by any chance? It looks like the date filter is working fine. Perhaps you need to set the date filter's timezone option (or have it parse the GMT string in the timestamp) to override the timezone used when parsing the timestamp.
the timezone here is GMT+8,I will try to parse the GMT in the time field and try again
I have tried both using timezone option and put GMT in the "time" field,still the same.
it does work,i used timezone option,thanks~
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.