公司线上日志是通过logstash接收并上传的,使用版本是logstash2.3,发现@timestamp经常少8个小时;
处理逻辑如下,无需修改插件源码
1
input { stdin {} }
2
output { stdout { codec => rubydebug } }
3
filter {
4
date {
5
match => ["message","UNIX_MS"]#message在实际应用中修改为自己的字段
6
target =>"@timestamp"
7
}
8
ruby {
9
code =>"event['timestamp'] = LogStash::Timestamp.new(event['@timestamp']+ 8*60*60)"
10
}
11
ruby {
12
code =>"event['@timestamp']= event['timestamp']"
13
}
14
mutate {
15
remove_field => ["timestamp"]
16
}
17
}
复制
另外在5.x版本logstash配置有不同
1
input { stdin {} }
2
output { stdout { codec => rubydebug } }
3
filter {
4
date {
5
match => ["message","UNIX_MS"]
6
target =>"@timestamp"
7
}
8
ruby {
9
code =>"event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
10
}
11
ruby {
12
code =>"event.set('@timestamp',event.get('timestamp'))"
13
}
14
mutate {
15
remove_field => ["timestamp"]
16
}
17
}
测试方法
echo'1504744911000'| ./logstash -f ~/test.conf
