0
こんにちはすべて私は古いApacheのログを解析しようとしています。出力には正しいタイムスタンプがありますが、@timestampフィールドもあります。@timestampは現在の日付時刻です。タイムスタンプがkibana/elasticsearchの@timestampになるようにします。 例入力:古いログを解析するlogstashは、日付としてtimestampと@timestampを追加します。
172.31.21.26 - - [20/Jul/2017:22:1``0:52 +0200] "GET /mobile/getParent/NzE4MzU1ZmUtNmIwOC00N2JkLTk1YmYtNmNhZTUyZmVmNGYz HTTP/1.1" 200 452 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 (4301339520)"
confファイル:
input {
file {
path=>"/home/ronald/Downloads/log/httpd/short.log"
start_position=>"beginning"
}
}
filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}" }
}
}
output {
elasticsearch{
hosts=>"localhost"
index=>"roha_test"
document_type=>"demo1"
}
stdout{
codec => "rubydebug"
}
}
出力:
"request" =>"/mobile/getParent/NzE4MzU1ZmUtNmIwOC00N2JkLTk1YmYtNmNhZTUyZmVmNGYz",
"agent" => "\"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 (4301339520)\"",
"auth" => "-",
"ident" => "-",
"verb" => "GET",
"message" => "172.31.21.26 - - [20/Jul/2017:22:10:52 +0200] \"GET /mobile/getParent/NzE4MzU1ZmUtNmIwOC00N2JkLTk1YmYtNmNhZTUyZmVmNGYz HTTP/1.1\" 200 452 \"-\" \"Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_3 like Mac OS X) AppleWebKit/603.3.8 (KHTML, like Gecko) Mobile/14G60 (4301339520)\"",
"path" => "/home/ronald/Downloads/log/httpd/short.log",
"referrer" => "\"-\"",
"@timestamp" => 2017-10-06T08:49:10.440Z,
"response" => "200",
"bytes" => "452",
"clientip" => "172.31.21.26",
"@version" => "1",
"host" => "ronald-XPS-13-9343",
"httpversion" => "1.1",
"timestamp" => "20/Jul/2017:22:10:52 +0200"
logstashバージョン5.6.1
「日付」フィルタを追加します。 – hjpotter92