如何从我的日志文件中提取并使用@timefield?
我希望设置@timestamp字段以读取我的日志行中的时间戳,而不是使用读取日志时的时间。
示例日志线:
2021.04.21 00:00:00.843 INF getBaseData: UserName = 'nou dont look', Password = 'psps', HTTPS=0
2021.04.21 00:00:00.843 INF getBaseData: UserName = 'you bad bad', Password = 'grign', HTTPS=0
2021.04.21 00:00:00.843 INF getBaseData: UserName = 'ayooooo', Password = 'butter sauce', HTTPS=0
2021.04.21 00:00:00.858 INF *** BEGINNING OF ARCCore.performARCTask ***
2021.04.21 00:00:00.858 INF *** BEGINNING OF ARCCore.ProcessTask ***
2021.04.21 00:00:01.266 INF ARCCore.DCI4ARCSyncLogin: login successfully executed. - No error - DCI4ARCSync-CurrSessions/MaxSessions=17/400 CurrProcesses/MaxProcesses=16/250
2021.04.21 00:00:01.297 INF ARCCore.DCI4ARCSyncLogin: login successfully executed. - No error - DCI4ARCSync-CurrSessions/MaxSessions=7/400 CurrProcesses/MaxProcesses=7/250
2021.04.21 00:00:08.165 INF *** BEGINNING OF SYNC ARC TO DC ***--->bIsExternal:0
2021.04.21 00:00:08.434 INF BOC login successfully executed. - No Error - DCI4ARC-CurrSessions/MaxSessions=24/400 CurrProcesses/MaxProcesses=15/250
2021.04.21 00:00:08.635 INF BOCVersionNr ==> V16.1.00.00
2021.04.21 00:00:08.804 INF setEntitySnapshot successfully executed
2021.04.21 00:00:09.453 INF getSnapshotList successfully executed
2021.04.21 00:00:09.461 INF getARCVersion: ARCVersionNr ==> V16.0.00.06
我使用以下令牌来剖定日志线:
处理器:
- dissect:
when:
contains:
message: "UserName"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} %{func}: UserName = 'ARC_%{trash1}_%{trash2}_%{trash3}, Password = '%{password}', HTTPS=%{https}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "BOCVersionNr"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} BOCVersionNr ==> %{BOCversionNr|ip}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "ARCVersionNr"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} getARCVersion: ARCVersionNr ==> %{ARCVersionNr|ip}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "ERR"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} %{ErrMsg}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "INF"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} %{InfMsg}"
target_prefix: "axess"
现在我希望实现的是,在kibana中,作为@timestamp,我使用axess.timestamplog字段中的值,以便我可以应用范围和其他时间相关的范围使用数据操作。
I wish to set the @timestamp field to read timestamps from my log lines instead of using the time when it read the log how can I do this.
example log lines:
2021.04.21 00:00:00.843 INF getBaseData: UserName = 'nou dont look', Password = 'psps', HTTPS=0
2021.04.21 00:00:00.843 INF getBaseData: UserName = 'you bad bad', Password = 'grign', HTTPS=0
2021.04.21 00:00:00.843 INF getBaseData: UserName = 'ayooooo', Password = 'butter sauce', HTTPS=0
2021.04.21 00:00:00.858 INF *** BEGINNING OF ARCCore.performARCTask ***
2021.04.21 00:00:00.858 INF *** BEGINNING OF ARCCore.ProcessTask ***
2021.04.21 00:00:01.266 INF ARCCore.DCI4ARCSyncLogin: login successfully executed. - No error - DCI4ARCSync-CurrSessions/MaxSessions=17/400 CurrProcesses/MaxProcesses=16/250
2021.04.21 00:00:01.297 INF ARCCore.DCI4ARCSyncLogin: login successfully executed. - No error - DCI4ARCSync-CurrSessions/MaxSessions=7/400 CurrProcesses/MaxProcesses=7/250
2021.04.21 00:00:08.165 INF *** BEGINNING OF SYNC ARC TO DC ***--->bIsExternal:0
2021.04.21 00:00:08.434 INF BOC login successfully executed. - No Error - DCI4ARC-CurrSessions/MaxSessions=24/400 CurrProcesses/MaxProcesses=15/250
2021.04.21 00:00:08.635 INF BOCVersionNr ==> V16.1.00.00
2021.04.21 00:00:08.804 INF setEntitySnapshot successfully executed
2021.04.21 00:00:09.453 INF getSnapshotList successfully executed
2021.04.21 00:00:09.461 INF getARCVersion: ARCVersionNr ==> V16.0.00.06
I use the following tokenizers to dissect log lines :
processors:
- dissect:
when:
contains:
message: "UserName"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} %{func}: UserName = 'ARC_%{trash1}_%{trash2}_%{trash3}, Password = '%{password}', HTTPS=%{https}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "BOCVersionNr"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} BOCVersionNr ==> %{BOCversionNr|ip}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "ARCVersionNr"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} getARCVersion: ARCVersionNr ==> %{ARCVersionNr|ip}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "ERR"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} %{ErrMsg}"
target_prefix: "axess"
- dissect:
when:
contains:
message: "INF"
tokenizer: "%{timestamplog} %{+timestamplog} %{type} %{InfMsg}"
target_prefix: "axess"
Now what I wish to achieve is that in kibana as my @timestamp I use values from the axess.timestamplog field, so that I could apply ranges and other time related operations with the data.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您可以使用重命名处理器。将您的事件重新管理为
@timestamp。如果您希望将此信息保留在axess.timestamplog中,您可能需要使用复制处理器。
它们有很多解决方案,也可以直接在 Elasticsearch 中通过调整索引设置来实现。但由于你在问题中没有提到这一点,我认为它偏离了主题。
You could use the rename processor. To remane you event into
@timestamp.If you wish to keep this information in
axess.timestamplogyou may want to use the copy processor.They are many solutions, also directly in Elasticsearch by tweaking the index settings. But as you do not mention this in your question I considered it off topic.