公司线上日志是通过logstash接收并上传的,使用版本是logstash2.3,发现@timestamp经常少8个小时;
处理逻辑如下,无需修改插件源码
input { stdin {} } output { stdout { codec => rubydebug } } filter { date { match => ["message","UNIX_MS"]#message在实际应用中修改为自己的字段 target => "@timestamp" } ruby { code => "event['timestamp'] = LogStash::Timestamp.new(event['@timestamp']+ 8*60*60)" } ruby { code => "event['@timestamp']= event['timestamp']" } mutate { remove_field => ["timestamp"] } } 另外在5.x版本logstash配置有不同 input { stdin {} } output { stdout { codec => rubydebug } } filter { date { match => ["message","UNIX_MS"] target => "@timestamp" } ruby { code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)" } ruby { code => "event.set('@timestamp',event.get('timestamp'))" } mutate { remove_field => ["timestamp"] } }
测试方法
echo '1504744911000' | ./logstash -f ~/test.conf --------------------- 作者:javacoer 来源: 原文:https://blog.csdn.net/wuyinggui10000/article/details/77879016 版权声明:本文为博主原创文章,转载请附上博文链接!
