Logstash无法识别登录时间

Question

我是新来的ELK阅读文档后栈但我仍然无法得到logstash认识到自定义时间

日志看起来是这样

2014-11-30 03:30:01.000118,122.99.34.242,123.56.212.1,44,u,q,NA,0  ? a.root-servers.net A 

我logstash过滤器是这个

filter { 
    date { 
      #2014-11-30 03:30:01.000118,122.99.34.242,123.56.212.1,44,u,q,NA,0  ? a.root-servers.net A 
      match => ["timestamp" , "YYYY-MM-dd HH:mm:ss"] 
      locale => "en" 
    } 
} 

但是当我运行它，虽然这个配置文件通过与日志文件它不出现识别匹配我有定义

{ 
    "message" => "2014-11-30 03:30:01.011895,123.52.36.153,213.55.121.1,55,u,q,NA,0\t? mobile-collector.newrelic.com A\t", 
    "@version" => "1", 
"@timestamp" => "2014-12-03T03:09:49.857Z", 
     "type" => "syslog", 
     "host" => "0.0.0.0", 
     "path" => "/var/log/dns/2014-11-30_0335_dnsparse.log" 
} 

我跑“logstash 1.4.2改性”

为了完整这里是我的整个logstash配置

input { 
    file { 
      path => "/var/log/dns/*.log" 
      type => "dns_parselog" 
      start_position => beginning 
    } 
} 

filter { 
    date { 
      #2014-11-30 03:30:01.000118,122.99.34.242,123.56.212.1,44,u,q,NA,0  ? a.root-servers.net A 
      match => ["timestamp" , "YYYY-MM-dd HH:mm:ss"] 
      locale => "en" 
    } 
} 
output { 
    elasticsearch { 
      host => localhost 
    } 
    stdout { codec => rubydebug } 
} 

Answer 1

你问日期过滤器解析了一场名为“时间戳”，但没有这样的字段。首先将消息中的时间戳提取到单独的字段，然后使用日期过滤器。

filter { 
    grok { 
    match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"] 
    } 
    date { 
    match => ["timestamp", "YYYY-MM-dd HH:mm:ss.SSSSSS"] 
    remove_field => ["timestamp"] 
    } 
} 

您需要向grok表达式添加其他模式以提取附加字段，但这不在此问题的范围之内。