适用场景
- 获取日志本身时间
- 日志时间转Unix时间
- 重组message
示例日志:
hellow@,@world@,@2011-11-01 18:46:43
logstash 配置文件:
input{ stdin{} }
filter{ grok{
match =>{"message"=>"%{WORD:s1}@,@%{WORD:s2}@,@%{TIMESTAMP_ISO8601:t1}"}
remove_field => "message"
}
date{match=>["t1","YYYY-MM-dd HH:mm:ss"]
target=>"logdate"}
ruby {
code => "
event['logdateunix'] = event['logdate'].to_i
event['yourmsg']=event['logdate'].to_s+event['s1']+event['s2']
" # combine fields you want in yourmsg Note the tyoe conversion
}
}
output{ stdout{codec => rubydebug} }
输出结果:
