我是ELK Stack的新手。目前正在处理以下形式的syslog:Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...
使用的grok模式如下:
grok {
match => {
"message" => [
"%{SYSLOGTIMESTAMP:syslog_date}\s+%{DATA:node}\s+%{DATA:component_name}\[%{NUMBER:pid}\]\:\s+%{GREEDYDATA:log_message}"]
我需要使用以下格式解析这些日志kibana,格式为syslog_date,并附加当前年份。
当前格式:
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 12:20:02"
}
所需格式:
"log_message" => "Starting system activity accounting tool...",
"@timestamp" => August 28th 2019, 23:49:53.014,
"node" => "localhost",
"@version" => "1",
"host" => "localhost.localdomain",
"pid" => "1",
"message" => "Apr 26 12:20:02 localhost systemd[1]: Starting system activity accounting tool...",
"type" => "stdin",
"component_name" => "systemd",
"SYSLOGTIMESTAMP:syslog_date" => "Apr 26 2019 12:20:02"
}
有人可以帮忙吗?或任何其他可以满足这种情况的方式
最佳答案
您可以使用以下方式根据logstash中的@timestamp字段添加“当前”年份
mutate { add_field => { "dateWithYear" => "%{[syslog_date]} %{+YYYY}" } }
但是,有时会出现错误的年份(仅在12月31日午夜之后)。日期过滤器为此包含some handling,并且已经有关于changing的讨论。
关于elasticsearch - 有没有办法在logstash中将年份部分追加到系统日志中,我们在Stack Overflow上找到一个类似的问题:https://stackoverflow.com/questions/57785551/