我正在做一个 ELK stack 作业
我在为多个组件 grok 模式配置时收到日期格式的 logstash 配置错误。我的日期是 21-Feb-2023 07:30:55.000(在 component3 if block 中)并且我在日期过滤器中使用 dd-MMM-yyyy HH:mm:ss.SSS。因为我有多个组件,所以我使用 if 语句。 (而 filebeat.yml 负责这些设置。)
因为我使用不同的日期格式,所以我尝试使用逗号分隔。但它不起作用!
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "[log][file][path]" => "%{GREEDYDATA}/%{GREEDYDATA:filename}\.log" }
}
if [fields][component] == "component1" {
grok {
match => { "message" => "(?<context>.*)?t=%{TIMESTAMP_ISO8601:logTime} level=%{LOGLEVEL:logLevel} msg=%{GREEDYDATA:logMessage}" }
}
}
if [fields][component] == "component2" {
grok {
match => { "message" => "%{MONTH} %{NUMBER} %{TIME} %{HOSTNAME:host} influxd-systemd-start.sh\[%{NUMBER}\]: ts=%{TIMESTAMP_ISO8601:logTime} lvl=%{LOGLEVEL:logLevel} %{GREEDYDATA:logMessage}" }
}
}
if [fields][component] == "component3" {
grok {
pattern_definitions => {
"CUSTOMMONTH" => "(Jan|Feb|Mar|Apr|May|Jun|Jul|Aug|Sep|Oct|Nov|Dec)"
"CUSTOMTIMESTAMP" => "%{MONTHDAY}-%{CUSTOMMONTH}-%{YEAR} %{TIME}"
}
match => { "message" => "%{CUSTOMTIMESTAMP:logTime} %{LOGLEVEL:logLevel} \[%{DATA:thread}\] %{JAVACLASS:class} %{GREEDYDATA:logMessage}" }
}
}
date{
match => ["logTime", "yyyy-MM-dd HH:mm:ss","dd-MMM-yyyy:HH:mm:ss.SSS", "ISO8601"]
timezone => "XXX/AAA"
target => "@timestamp"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logs-analytics_%{+YYYY.MM.dd}"
}
}
我得到的错误:
"failed to parse field [logTime] of type [date] in document with id 'hjfghfjhfkjhg'. Preview of field's value: '21-Feb-2023 07:30:55.000'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [21-Feb-2023 07:30:55.000] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"Failed to parse with all enclosed parsers"
任何人都可以建议如何处理 grok 模式日期过滤器中的多种日期格式..
提前致谢!