如何正确地将“时间”从Fluentd事件传递给Elasticsearch和Kibana?
tl; dr;
在Fluentd中,如何从事件中添加时间到Elasticsearch(因此,在Kibana中的数据视图中可以用作“时间戳字段”)?
我能够添加time和标签这样:
<filter grabt.listener.**>
@type record_transformer
<record>
tag ${tag}
time ${time}
</record>
</filter>
但是time是字符串格式(2022-04-17T17:17:17: 31+00:00),不能用作时间戳字段。
完整的问题,
我使用- log-driver = fluentd在Docker容器中运行Python脚本。
我有一个基本的Fluentd,Elasticsearch,Kibana设置(官方文档中几乎一对一): https:// https:// github.com/jkulak/efk-stack 。
我的python脚本正在使用structLog进行记录,并且我看到了Stdout中的JSON日志。
我所有的日志都将用于Elasticsearch,我可以在Kibana中看到它们。到目前为止,一切都很好。
在Kibana中,在定义新数据视图时,我将无法在禁用时选择时间戳字段(请参阅下面的我的屏幕)。
我的Fluentd配置就像:
<source>
@type forward
port 24224
</source>
<filter grabt.listener.**>
@type parser
key_name "$.log"
hash_value_field "log"
reserve_data true
<parse>
@type json
time_key time
keep_time_key true
</parse>
</filter>
<filter grabt.listener.**>
@type record_transformer
<record>
tag ${tag}
time ${time} # <---- what to do here?
</record>
</filter>
如何在记录中包含任何格式的时间,该格式将存储在Elasticsearch中,然后考虑了Kibana的适当日期/时间,时间戳记值,以便我可以按时间对记录进行分类?
Update
如下评论所建议,您可以找到我看到的日志以及我想看到的。
我的python脚本将JSON记录到Stdout:
{"logger": "get_albums.py", "name": "Heiken & Kenshin", "spotify_id": "3bIU4wnnl3J1J0w2dCciL5", "object": "artist", "event": "Processing artist"}
当Fluentd将其保存到文件@Type文件时,我看到time and tag 保存在一起使用我的日志数据(事件) - 应该( Fluentd事件结构):
2022-04-17T17:17:31+00:00 grabt.listener {"container_name":"/get-albums","source":"stdout","log":"{\"logger\": \"get_albums.py\", \"name\": \"Heiken & Kenshin\", \"spotify_id\": \"3bIU4wnnl3J1J0w2dCciL5\", \"object\": \"artist\", \"event\": \"\\ud83d\\udc68\\ud83c\\udffd\\u200d\\ud83c\\udfa4 Processing\"}\r","container_id":"f16ff942df2bb20dcf5dd7f338fd245dcfbc3b5ba1d15c89306074d2befdadae"}
但是,当保存到elasticsearch(并在Kibana中显示)时,它会错过时间字段:
log.event:Processing artist log.object artist container_id:f16ff942df2bb20dcf5dd7f338fd245dcfbc3b5ba1d15c89306074d2befdadae container_name:/get-albums log.logger:get_albums.py log.name:Heiken & Kenshin log.spotify_id:0tCtGc5vt29zFZp6KXzN50 source:stdout tag:grabt.listener _id:3bIU4wnnl3J1J0w2dCciL5 _index:grabtracksp-listeners _score:5.855
它缺少time field(或任何类型的时间/时间戳字段)可以用来时间表奇巴纳的事件。
我可以将Python中的时间添加到日志中。我可以使用fluentd-Plugin-elastcicsearch添加时间戳字段。但是我想知道如何在Fluentd中使用其插件进行操作。谢谢。
tl;dr;
How in fluentd add time from the event to Elasticsearch (so it's usable as "Timestamp field" in Data view in Kibana)?
I was able to add time and tag like that:
<filter grabt.listener.**>
@type record_transformer
<record>
tag ${tag}
time ${time}
</record>
</filter>
But time is in string format (2022-04-17T17:17:31+00:00) and can not be used as a Timestamp field.
Full question
I am running a Python script inside a Docker container using --log-driver=fluentd.
I have a basic Fluentd, Elasticsearch, Kibana setup (almost one to one from official documentation): https://github.com/jkulak/efk-stack.
My Python script is logging using structlog and I see json logs in the stdout as expected.
All my logs are going to Elasticsearch and I can see them in Kibana. So far so good.
In Kibana, when defining new Data View, I am not able to select a Timestamp field as it is disabled (please see my screen below).
My fluentd configuration is like:
<source>
@type forward
port 24224
</source>
<filter grabt.listener.**>
@type parser
key_name "$.log"
hash_value_field "log"
reserve_data true
<parse>
@type json
time_key time
keep_time_key true
</parse>
</filter>
<filter grabt.listener.**>
@type record_transformer
<record>
tag ${tag}
time ${time} # <---- what to do here?
</record>
</filter>
How to include in the record, time in any format that would be stored in Elasticsearch and then considered a proper date/time, timestamp value by Kibana, so I can sort my records by time?
Update
As suggested in the comment below you can find logs I see and what I would like to see.
My Python script logs JSON to stdout:
{"logger": "get_albums.py", "name": "Heiken & Kenshin", "spotify_id": "3bIU4wnnl3J1J0w2dCciL5", "object": "artist", "event": "Processing artist"}
When Fluentd is saving it to a file @type file then I see that time and tag is saved together with my log data (event) - as it should (fluentd event structure):
2022-04-17T17:17:31+00:00 grabt.listener {"container_name":"/get-albums","source":"stdout","log":"{\"logger\": \"get_albums.py\", \"name\": \"Heiken & Kenshin\", \"spotify_id\": \"3bIU4wnnl3J1J0w2dCciL5\", \"object\": \"artist\", \"event\": \"\\ud83d\\udc68\\ud83c\\udffd\\u200d\\ud83c\\udfa4 Processing\"}\r","container_id":"f16ff942df2bb20dcf5dd7f338fd245dcfbc3b5ba1d15c89306074d2befdadae"}
But when saved to Elasticsearch (and displayed in Kibana) it misses the time field:
log.event:Processing artist log.object artist container_id:f16ff942df2bb20dcf5dd7f338fd245dcfbc3b5ba1d15c89306074d2befdadae container_name:/get-albums log.logger:get_albums.py log.name:Heiken & Kenshin log.spotify_id:0tCtGc5vt29zFZp6KXzN50 source:stdout tag:grabt.listener _id:3bIU4wnnl3J1J0w2dCciL5 _index:grabtracksp-listeners _score:5.855
It is missing the time field (or any kind of time/timestamp field) that can be used to timeline the events in Kibana.
I could add the time in Python to the log. I could add the timestamp field using the fluentd-plugin-elascticsearch. But I am wondering how to do it in Fluentd with it's plugins. Thank you.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
将字段添加到您的记录中,并带有
$ {time}的值,您可以像这样格式化时间:
这将打印出具有两个字段的JSON对象:格式的时间戳和消息。
每个Fluentd事件都会打印出时间戳,标签和
record(通过Record_transFormer管理您可以使用
time $ {time $ {time}和使用标签$ {tag}的标签,或将其添加到您的记录中,您可以
在
&lt; match&gt;内使用以显示记录(不包括时间和标签)add a field to your record with the value of
${time}you can format your time like this:
this prints out a json object with two fields: a formatted timestamp, and a message.
each fluentd event prints out the timestamp, tag, and the
record(managed viarecord_transformeryou can refer to the time using
time ${time}and the tag usingtag ${tag}, or add these to your recordmoreover you can use
inside
<match>to show only the record (excluding time and tag)