公司线上日志是通过logstash接收并上传的,使用版本是logstash2.3,发现@timestamp经常少8个小时;
处理逻辑如下,无需修改插件源码
input { stdin {} }
output { stdout { codec => rubydebug } }
filter {
date {
match => ["message","UNIX_MS"]#message在实际应用中修改为自己的字段
target => "@timestamp"
}
ruby {
code => "event['timestamp'] = LogStash::Timestamp.new(event['@timestamp']+ 8*60*60)"
}
ruby {
code => "event['@timestamp']= event['timestamp']"
}
mutate {
remove_field => ["timestamp"]
}
}
另外在5.x版本logstash配置有不同
input { stdin {} }
output { stdout { codec => rubydebug } }
filter {
date {
match => ["message","UNIX_MS"]
target => "@timestamp"
}
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
ruby {
code => "event.set('@timestamp',event.get('timestamp'))"
}
mutate {
remove_field => ["timestamp"]
}
}
测试方法
echo '1504744911000' | ./logstash -f ~/test.conf
---------------------
作者:javacoer
来源:CSDN
原文:https://blog.csdn.net/wuyinggui10000/article/details/77879016
版权声明:本文为博主原创文章,转载请附上博文链接!
