Logstash - 从 JSON 解析的对象设置时间戳
Logstash - Setting a timestamp from a JSON parsed object
我在从 JSON 解析设置时间戳时遇到问题。
我有这个字符串:
[{"orderNumber":"423523-4325-3212-4235-463a72e76fe8","externalOrderNumber":"reactivate_22d6ff0d8f55eb821be14df9d35505a6","operation":{"name":"CAPTURE","amount":134,"status":"SUCCESS","createdAt":"2015-05-11T09:14:30.969Z","updatedAt":{}}}]
我使用这个 Logstash 过滤器将其解析为 json:
grok {
match => { "message" => "\[%{GREEDYDATA:firstjson}\]%{SPACE} \[%{GREEDYDATA:secondjson}\}]}]"}
}
json{
source => "firstjson"
}
date {
match => [ "operation.createdAt", "ISO8601"]
}
mutate {
remove_field => [ "firstjson", "secondjson" ]
}
}
这会在 ElasticSearch 中创建一个文档。我有一个名为 operation.createdAt 的字段,它被正确识别为日期字段。但出于某种原因,这一行:
date {
match => [ "operation.createdAt", "ISO8601"]
}
没有设置@timestamp 字段。当前@timestamp 字段在文档插入时设置。我做错了什么?
感谢 ES Logstash Community 的好心人,我找到了答案。
而不是:
date {
match => [ "operation.createdAt", "ISO8601"]
}
我用这个:
date {
match => [ "[operation][createdAt]", "ISO8601"]
}
并正确提取和解析 JSON 时间对象。
我在从 JSON 解析设置时间戳时遇到问题。
我有这个字符串:
[{"orderNumber":"423523-4325-3212-4235-463a72e76fe8","externalOrderNumber":"reactivate_22d6ff0d8f55eb821be14df9d35505a6","operation":{"name":"CAPTURE","amount":134,"status":"SUCCESS","createdAt":"2015-05-11T09:14:30.969Z","updatedAt":{}}}]
我使用这个 Logstash 过滤器将其解析为 json:
grok {
match => { "message" => "\[%{GREEDYDATA:firstjson}\]%{SPACE} \[%{GREEDYDATA:secondjson}\}]}]"}
}
json{
source => "firstjson"
}
date {
match => [ "operation.createdAt", "ISO8601"]
}
mutate {
remove_field => [ "firstjson", "secondjson" ]
}
}
这会在 ElasticSearch 中创建一个文档。我有一个名为 operation.createdAt 的字段,它被正确识别为日期字段。但出于某种原因,这一行:
date {
match => [ "operation.createdAt", "ISO8601"]
}
没有设置@timestamp 字段。当前@timestamp 字段在文档插入时设置。我做错了什么?
感谢 ES Logstash Community 的好心人,我找到了答案。
而不是:
date {
match => [ "operation.createdAt", "ISO8601"]
}
我用这个:
date {
match => [ "[operation][createdAt]", "ISO8601"]
}
并正确提取和解析 JSON 时间对象。