时区差8个小时解决

下面例子, 时区差8个小时

  1. # Sample Logstash configuration for creating a simple
  2. # Beats -> Logstash -> Elasticsearch pipeline.
  4. input {
  5.   beats {
  6.     port => 5044
  7.   }
  8. }
  10. filter {
  12.   ruby {
  13.     code => "event.timestamp.time.localtime"
  14.   }
  16.   if [fields][file_source] == "log" {
  17.     grok {
  18.       match => { "message" => "%{TIMESTAMP_ISO8601:log_date}\s+\[%{NOTSPACE:thread}\]\s+%{NOTSPACE:log_level}\s+%{NOTSPACE:logger}\s+-\s+(?<log_message>.*)" }
  19.     }
  20.     if "_grokparsefailure" in [tags] {
  21.       drop {}
  22.     }
  23.     if [log_level] != "ERROR" {
  24.       drop {}
  25.     }
  26.   } else if [fields][file_source] == "dot" {
  27.     grok {
  28.       match => { "message" => "%{TIMESTAMP_ISO8601:log_date}\s+\[%{NOTSPACE:thread}\]\s+%{NOTSPACE:log_level}\s+%{NOTSPACE:logger}\s+-\s+__glde:title=%{DATA:dot_title}&url=%{DATA:dot_url}&type=%{DATA:dot_type}&version=%{DATA:dot_version}&source=%{DATA:dot_source}&app-ver=%{DATA:dot_app_ver}&tenant-code=%{DATA:dot_tenant_code}&spm=%{DATA:dot_spm}&uid=%{DATA:dot_uid}&tid=%{DATA:dot_tid}&tc=%{DATA:dot_tc}&tr=%{DATA:dot_tr}&sr=%{DATA:dot_sr}&sra=%{DATA:dot_sra}&timestamp=%{NUMBER:dot_timestamp}&ip=%{DATA:dot_ip}&sessionId=%{DATA:dot_session_id}\s+(?<other_message>.*)" }
  29.     }
  30.     if "_grokparsefailure" in [tags] {
  31.       drop {}
  32.     }
  33.     if [log_level] != "INFO" {
  34.       drop {}
  35.     }
  36.   }
  37. }
  39. output {
  41.   if [fields][file_source] == "log" {
  42.     elasticsearch {
  43.       hosts => ["http://localhost:9200","host2:9200"]
  44.       index => "hao-log-%{+YYYY.MM.dd}"
  45.       #user => "elastic"
  46.       #password => "changeme"
  47.     }
  48.   } else if [fields][file_source] == "dot" {
  49.     elasticsearch {
  50.       hosts => ["http://localhost:9200","host2:9200"]
  51.       index => "hao-dot-%{+YYYY.MM.dd}"
  52.       #user => "elastic"
  53.       #password => "changeme"
  54.     }
  55.   }
  58. }

需要改为类似这样的

input { 
    stdin { 
        add_field => {"timestamp" => "2022-02-08 18:35:56.280"}
        codec => "plain"
        type => "std"
    } 
} 

filter {
    mutate {
        add_field => { "nowTimeTemp" =>  "%{[timestamp]}"}
    }

    mutate {
        split => ["nowTimeTemp"," "]
        split => ["[nowTimeTemp][0]","-"]
        add_field =>   {
            "currentIndexPrefix" => "%{[nowTimeTemp][0][0]}.%{[nowTimeTemp][0][1]}.%{[nowTimeTemp][0][2]}"
        }
        remove_field => ["nowTimeTemp"]
    }
}

output { 
    stdout {
        codec => rubydebug
    } 
}

输出

{
              "@version" => "1",
             "timestamp" => "2022-02-08 18:35:56.280",
               "message" => "111",
                  "type" => "std",
                  "host" => "xjd-jdxia.local",
            "@timestamp" => 2022-02-09T03:34:08.189Z,
    "currentIndexPrefix" => "2022.02.08"
}

上面的logstash改为

output {

  if [fields][file_source] == "log" {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "hao-log-%{[currentIndexPrefix]}"
      #user => "elastic"
      #password => "changeme"
    }
  } else if [fields][file_source] == "dot" {
    elasticsearch {
      hosts => ["http://localhost:9200"]
      index => "hao-dot-%{[currentIndexPrefix]}"
      #user => "elastic"
      #password => "changeme"
    }
  }


}