filter {
multiline {
pattern => "^\s*$"
what => "previous"
negate => true
}
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{GREEDYDATA:message}" }
overwrite => ["message"]
}
mutate {
gsub => ["message", "\n", " "]
split => ["message", " "]
}
date {
match => ["%{message[0]}","ISO8601", "UNIX" ]
}
}
输出结果是
{
"message" => [
[0] "2015-12-03T01:33:22+00:00",
[1]
[2]
[3]
[4] "2015-12-03T01:33:25+00:00",
[5]
[6]
[7]
],
"@version" => "1"
............
}
我这样%{message[0]} 和 %{[message][0]} 都匹配不到 message[0]里面额值,做data match, 这个要怎么做呢。
multiline {
pattern => "^\s*$"
what => "previous"
negate => true
}
grok {
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{GREEDYDATA:message}" }
overwrite => ["message"]
}
mutate {
gsub => ["message", "\n", " "]
split => ["message", " "]
}
date {
match => ["%{message[0]}","ISO8601", "UNIX" ]
}
}
输出结果是
{
"message" => [
[0] "2015-12-03T01:33:22+00:00",
[1]
[2]
[3]
[4] "2015-12-03T01:33:25+00:00",
[5]
[6]
[7]
],
"@version" => "1"
............
}
我这样%{message[0]} 和 %{[message][0]} 都匹配不到 message[0]里面额值,做data match, 这个要怎么做呢。
2 个回复
medcl - 今晚打老虎。
赞同来自:
njedison
赞同来自:
api||GetContactCoreInfo||11526||Params-a:3:{s:8:"strInput";s:11:"13915823054";s:5:"iType";i:1;s:18:"isContainScoreInfo";b:1;}
2015-12-03T01:33:25+00:00 INFO (6):
api||GetContactCoreInfo||11526||3||Result-O:8:"stdClass":1:{s:24:"GetContactCoreInfoResult";O:8:"stdClass":1:{s:6:"string";a:12:{i:0;s:36:"6fa5e16c-fe0a-e311-bca4-e4115bb246ea";i:1;s:11:"05190134114";i:2;s:9:"";i:3;s:11:"13915823054";i:4;s:6:"正常";i:5;s:2:"87";i:6;s:1:"0";i:7;s:2:"71";i:8;s:10:"2016-03-31";i:9;s:4:"6073";i:10;s:9:"100000000";i:11;s:18:"320101199920203339";}}}
或者说我想把两个日期内容取出来,变换成"YYYY-mm-dd:HH:mm:ss" 这种格式,然后再做减法,可不可以呢