输入是逗号分隔的值:“2010-08-19”,“九时12分55秒”,“56095675”
我创建了看似正确的格式date_time但不匹配的自定义字段2010-08-19;09:12:55。
filter {
grok {
match => { "message" => '"(%{GREEDYDATA:cust_date})","(%{TIME:cust_time})","(%{NUMBER:author})"'}
add_field => {
"date_time" => "%{cust_date};%{cust_time}"
}
}
date {
match => ["date_time", "yyyy-MM-dd;hh:mm:ss"]
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}
在Kibana输出:
cust_date August 18th 2010, 20:00:00.000
cust_time 09:12:55
date_time 2010-08-19;09:12:55
message "2010-08-19","09:12:55","56095675"
tags beats_input_codec_plain_applied, _dateparsefailure
它给_dateparsefailure。本场似乎是相同的匹配模式。我喜欢尝试不同的YYYY-MM-dd;hh:mm:ss时间格式和YYYY-MM-dd;HH:mm:ss我在做什么错?救命!
你应该把date插件filter段内,有权根据grok。
filter {
grok {
match => { "message" => '"(%{GREEDYDATA:cust_date})","(%{TIME:cust_time})","(%{NUMBER:author})"'}
add_field => {
"date_time" => "%{cust_date};%{cust_time}"
}
date {
match => ["date_time", "yyyy-MM-dd;hh:mm:ss"]
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}
}