ELK,萌萌哒

Filebeat 6.4.2 the timestamp is not right

Beats | 作者 zqc0512 | 发布于2018年10月10日 | 阅读数:3898

https://discuss.elastic.co/t/f ... 51748
 
这怎么破?
 
 
filebeat 6.4.2 the timestamp is not right.
i use filebeat 6.4.2 to es
the time is +8 not right
my machine timezone is
Wed Oct 10 13:03:45 CST 2018
but the filebeat time write into es is like
"@timestamp" : "2018-10-10T12:58:01.000Z",
how can change it the @timestamp -8 hours .
when search this not ok.
in system.yml at /etc/filebeat/modules.d- module: system # Syslog syslog: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. var.convert_timezone: false #var.convert_timezone: true # Authorization logs auth: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. var.convert_timezone: false #var.convert_timezone: truethe var.convert_timezone use true or false when my timezone is not UTC ,it's CST?
已邀请:

rochy - rochy_he

赞同来自:

看起来你的设置是没有问题的,var.convert_timezone:false 的情况下默认不会将本地时间转换为 utc 时间
你可以看一下 beat.timezone 这个字段的值

zqc0512 - andy zhou

赞同来自:

主要是现在  @timestamp    October 10th 2018, 23:25:21.000 这玩意时间添加了8个小时。
怎么破?
  "@timestamp": "2018-10-10T15:25:21.000Z", 原始文件 他+8 值又没有减少,我就CAO了……

zqc0512 - andy zhou

赞同来自:

用pipeline处理也不行呢。filebeat默认没有时间的,只有一个@timestamp 对他处理不好使呢。
{
  "description" : "testime",
  "processors" : [
    {
      "date" : {
        "field" : "@timestamp",
        "target_field" : "timestamp",
        "formats" : ["ISO8601"],
        "timezone" : "Asia/Shanghai",
        "locale" : "cn"
      }
    }
  ]
}
这是pipeline的内容
在ES中查询都不bmtimestamp这个字段……
这怎么破?
不想再套一层logstash对他处理。
@rochy

zqc0512 - andy zhou

赞同来自:

解决了,我就CAO了。他自己写了个PIPELINE在里面添加个timezone

"timezone" : "CST"
 
我就CAO了。找了一圈。

zqc0512 - andy zhou

赞同来自:

/_ingest/pipeline?pretty
是这下面的内容

"filebeat-6.4.2-system-syslog-pipeline" : { "processors" : [ { "grok" : { "ignore_missing" : true, "field" : "message", "patterns" : [ "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:system.syslog.hostname} %{DATA:system.syslog.program}(?:\\[%{POSINT:system.syslog.pid}\\])?: %{GREEDYMULTILINE:system.syslog.message}", "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}" ], "pattern_definitions" : { "GREEDYMULTILINE" : "(.|\n)*" } } }, { "remove" : { "field" : "message" } }, { "date" : { "target_field" : "@timestamp", "formats" : [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ], "ignore_failure" : true, "field" : "system.syslog.timestamp", "timezone" : "CST" } } ], "on_failure" : [ { "set" : { "field" : "error.message", "value" : "{{ _ingest.on_failure_message }}" } } ], "description" : "Pipeline for parsing Syslog messages." }
 
是这里的内容我还以为你说写个新的……

要回复问题请先登录注册