0
我需要将UNIX时间戳字段的值写入@timestamp,以便我可以正确地为通过logstash流动的数据建立索引,我有这部分工作。不过我也有要求@timestamp的值应该是插入时间。为此,我制作了一个临时字段,其中包含@timestamp的原始值。在LogStash中写入@timestamp
以下是我与合作:
filter {
csv {
separator => " " # <- this white space is actually a tab, don't change it, it's already perfect
skip_empty_columns => true
columns => ["timestamp", ...]
}
# works just fine
mutate {
add_field => {
"tmp" => "%{@timestamp}"
}
}
# works just fine
date {
match => ["timestamp", "UNIX"]
target => "@timestamp"
}
# this works too
mutate {
add_field => {
"[@metadata][indexDate]" => "%{+YYYY-MM-dd}"
}
}
# @timestamp is not being set back to its original value
date {
match => ["tmp", "UNIX"]
target => "@timestamp"
}
# works just fine
mutate {
remove_field => ["tmp"]
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
# this works
index => "indexname-%{[@metadata][indexDate]}"
}
}
的问题是在这里:
date {
match => ["tmp", "UNIX"]
target => "@timestamp"
}
@timestamp没有被设置回其原始值。当我检查数据时,它具有与timestamp字段相同的值。
你能简单地删除'目标=> ...'通常'@ timestamp'字段将被默认选中。 – Val
我刚刚尝试过,先在问题区域,然后在两个地方。 '@ timestamp'仍然保存'timestamp'的值。 – robbmj