logstash时间戳@timestamp修改为北京时间
input { beats { port => "5044" } } filter { grok { match => [ # 此处的^A为vim下的CTRL+A "message", "time^B%{INT:timestamp}^Aid^B%{NOTSPACE:sn}^Aasr^B%{NOTSPACE:asr}^Anlp^B%{DATA:nlp}^Adomain^B%{JAVACLASS:domain}^Aintent^B%{NOTSPACE:intent}" ] } date { match => ["timestamp", "UNIX_MS"] target => "@timestamp" } ruby { code => "event.set('temp', event.get('@timestamp').time.localtime + 8*60*60); event.set('@timestamp', event.get('temp'))" } } output { # stdout { codec => rubydebug } file { codec => line {format => "%{message}"} path => "/home/admin/data/speech/speech.log.%{+YYYYMMdd}" } file { codec => line {format => "%{+YYYY-MM-dd HH:mm:ss}^A%{sn}^A%{asr}^A%{nlp}^A%{domain}^A%{intent}"} path => "/home/admin/data/speech/speech%{+YYYY-MM-dd}" } }
logstash@timestampUTC时间修改为北京时间
filter { ruby { code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)" } ruby { code => "event.set('@timestamp',event.get('timestamp'))" } mutate { remove_field => ["timestamp"] } }