不要急,总有办法的

如何指定Time Field为其他字段

Kibana | 作者 婚格线 | 发布于2014年12月02日 | 阅读数:6269

请坛子里的大牛看一下 谢谢

我想指定Time Field 为runtime
以下是我的shiper.conf
input {
file {
path => "/data/curldata/curllog"
type => "curllog"
}
}
filter {
if [type] == "curllog" {
grok {
type => "curllog"
match => [
"message","%{HTTPDATE:runtime},(?:%{NUMBER:speed_download:float})"
]
add_tag => ["herbert"]
}
}else
{
drop {}
}

date {
target => "curllog"
match => [ "runtime" , "dd/MMM/YYYY:HH:mm:ss Z" ]

}

}

output {
stdout {
debug => true
debug_format => json
}


redis {
host => "192.168.1.100"
port => 6379
data_type => "list"
key => "logstash"
}
}


当我 插入数据的时候:
echo "01/Dec/2014:17:51:43 0800,1044379.000" >>/data/curldata/curllog



{"message":"01/Dec/2014:17:51:43 0800,1044379.000","@version":"1","@timestamp":"2014-12-02T02:10:49.740Z","type":"curllog","host":"puppet4.oss.letv.com","path":"/data/curldata/curllog","runtime":"01/Dec/2014:17:51:43 0800","speed_download":1044379.0,"tags":["herbert"]}

在web界面以runtime作为横坐标提示:× Oops! ClassCastException


mapping信息
"runtime":{"type":"string","norms":{"enabled":false},"fields":{"raw":{"type":"string","index":"not_analyzed","ignore_above":256}}},


我参考的文档:
getting-the-best-out-of-logstash-for-nginx


已邀请:

Rubricate - hi

赞同来自: 婚格线

date {
target => "runtime"
match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]

}



这样就行了,哈哈哈哈
可以多看看logstash的基本文档,除了三斗室的



http://logstash.net/docs/1.4.2/filters/date

要回复问题请先登录注册