ELK 中的日期时间解析
datetime parse in ELK
我正在尝试使用 ELK 堆栈解析日志。以下是我的示例日志
2015-12-11 12:05:24+0530 [process] INFO: process 0.24.5 started
我正在使用以下 grok
grok{
match => {"message" => "(?m)%{TIMESTAMP_ISO8601:processdate}\s+\[%{WORD:name}\]\s+%{LOGLEVEL:loglevel}"}
}
我的弹性搜索映射是
{
"properties": {
"processdate":{
"type": "date",
"format" : "yyyy-MM-dd HH:mm:ss+SSSS"
},
"name":{"type" : "string"},
"loglevel":{"type" : "string"},
}
}
但是在加载到 Elastic 搜索时出现以下错误,
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [processdate]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2015-12-11 12:05:39+0530\" is malformed at \" 12:05:39+0530\""}}}}, :level=>:warn}
如何修改为合适的数据格式?我在弹性搜索中添加了正确的日期格式。
更新: localhost:9200/log
{"log":{"aliases":{},"mappings":{"filelog":{"properties":{"processdate":{"type":"date","format":"yyyy-MM-dd' 'HH:mm:ssZ"},"loglevel":{"type":"string"},"name":{"type":"string"}}}},"settings":{"index":{"creation_date":"1458218007417","number_of_shards":"5","number_of_replicas":"1","uuid":"_7ffuioZS7eGBbFCDMk7cw","version":{"created":"2020099"}}},"warmers":{}}}
您收到的错误意味着您的日期格式有误。像这样修复你的日期格式,即在末尾使用 Z (时区)而不是 +SSSS (秒的分数):
{
"properties": {
"processdate":{
"type": "date",
"format" : "yyyy-MM-dd HH:mm:ssZ"
},
"name":{"type" : "string"},
"loglevel":{"type" : "string"}
}
}
此外,根据我们之前的交流,您的 elasticsearch 输出插件缺少 document_type 设置,应该像这样配置,以便使用您的自定义 filelog映射类型(否则将使用默认 logs 类型,您的自定义映射类型不会生效):
output {
elasticsearch {
hosts => ["172.16.2.204:9200"]
index => "log"
document_type => "filelog"
}
}
我正在尝试使用 ELK 堆栈解析日志。以下是我的示例日志
2015-12-11 12:05:24+0530 [process] INFO: process 0.24.5 started
我正在使用以下 grok
grok{
match => {"message" => "(?m)%{TIMESTAMP_ISO8601:processdate}\s+\[%{WORD:name}\]\s+%{LOGLEVEL:loglevel}"}
}
我的弹性搜索映射是
{
"properties": {
"processdate":{
"type": "date",
"format" : "yyyy-MM-dd HH:mm:ss+SSSS"
},
"name":{"type" : "string"},
"loglevel":{"type" : "string"},
}
}
但是在加载到 Elastic 搜索时出现以下错误,
"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [processdate]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2015-12-11 12:05:39+0530\" is malformed at \" 12:05:39+0530\""}}}}, :level=>:warn}
如何修改为合适的数据格式?我在弹性搜索中添加了正确的日期格式。
更新: localhost:9200/log
{"log":{"aliases":{},"mappings":{"filelog":{"properties":{"processdate":{"type":"date","format":"yyyy-MM-dd' 'HH:mm:ssZ"},"loglevel":{"type":"string"},"name":{"type":"string"}}}},"settings":{"index":{"creation_date":"1458218007417","number_of_shards":"5","number_of_replicas":"1","uuid":"_7ffuioZS7eGBbFCDMk7cw","version":{"created":"2020099"}}},"warmers":{}}}
您收到的错误意味着您的日期格式有误。像这样修复你的日期格式,即在末尾使用 Z (时区)而不是 +SSSS (秒的分数):
{
"properties": {
"processdate":{
"type": "date",
"format" : "yyyy-MM-dd HH:mm:ssZ"
},
"name":{"type" : "string"},
"loglevel":{"type" : "string"}
}
}
此外,根据我们之前的交流,您的 elasticsearch 输出插件缺少 document_type 设置,应该像这样配置,以便使用您的自定义 filelog映射类型(否则将使用默认 logs 类型,您的自定义映射类型不会生效):
output {
elasticsearch {
hosts => ["172.16.2.204:9200"]
index => "log"
document_type => "filelog"
}
}