Logstash时间字段处理

2023-08-09 | 0 评论 | 0 浏览

定义新时间字段并加8小时

index_date 字段解析成: YYYY.MM.dd

index_date_1 字段解析成: YYYY.MM.dd.HH

filter {

       ruby {
            code => "event.set('index_date', event.get('@timestamp').time.localtime + 8*60*60)
                     event.set('index_date_1', event.get('@timestamp').time.localtime + 8*60*60)"
        }

        mutate {
            convert => ["index_date", "string"]
            gsub => ["index_date", "T([\S\s]*?)Z", ""]
            gsub => ["index_date", "-", "."]
        }

        mutate {
            convert => ["index_date_1", "string"]
            gsub => ["index_date_1", ":([\S\s]*?)Z", ""]
            gsub => ["index_date_1", "-", "."]
            gsub => ["index_date_1", "T", "."]
        }

}

或者

          filter {
            date {
                    match => ["timestamp", "yyyy-MM-dd HH:mm:ss.SSS"]
                    timezone => "Etc/GMT+8"
                    target => "timestamp"
                  }
          }

@timestamp字段加8小时

        ruby {
            code => "event.set('index_date', event.get('@timestamp').time.localtime + 8*60*60)"
        }
  
        grok {
             match => {"index_date" => "%{TIMESTAMP_ISO8601:timestampn}"}

             }
        date {
            match => ["timestampn", "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
            target => "@timestamp"
             }

        mutate {
          remove_field => "index_date"
          remove_field => "timestampn"

        }

注意：

@timestamp字段如果不适用UTC时区且浏览器时区为东八区时，kibana查询界面会不显示数据。

标题：Logstash时间字段处理
作者：zifuy
地址：https://www.zifuy.cn/articles/2023/08/09/1691550545293.html