我想从.history里取出时间和命令。过滤出来的结果入下,我想把time转换成年月日的时间,在config文件中加入date之后就报错。请问怎样把提取出的time字段 转换成时间。time字段是unix_ms时间。
{
"source" => "/root/.bash_history",
"user" => "root",
"command" => "ls",
"host" => "elk",
"time" => "1518426340",
"message" => "#1518426340\nls -ltrap",
"hostname" => "elk",
"tags" => [
[0] "history"
],
"@timestamp" => 2018-02-12T08:55:35.016Z
}
P/S: 配置文件
input {
beats {
port => 5044
}
}
filter {
if [tags][0] == "history" {
grok {
match => {
"message" => "^#(?<time>\d.*)\n(?<command>\w.*)"
}
overwrite => ["message"]
}
grok {
match => {
"source" => ".*/(?<user>\w.*)/.*"
}
date {
match => [ "time" ,"YYYY-MM-dd HH:mm:ss" , "UNIX_MS" ]
target => "@timestamp"
locale => "en"
}
}
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
add_field => { "hostname" => "%{[beat][hostname]}" }
remove_field => ["beat","prospector","offset","@version"]
}
}
}
output {
stdout {
codec => rubydebug
}
}
P/S: 日志文件
#1518426340
ls -ltrap
#1518424255
tail -f /var/log/logstash/logstash-plain.log
#1518427320
history
#1518427330
cd
{
"source" => "/root/.bash_history",
"user" => "root",
"command" => "ls",
"host" => "elk",
"time" => "1518426340",
"message" => "#1518426340\nls -ltrap",
"hostname" => "elk",
"tags" => [
[0] "history"
],
"@timestamp" => 2018-02-12T08:55:35.016Z
}
P/S: 配置文件
input {
beats {
port => 5044
}
}
filter {
if [tags][0] == "history" {
grok {
match => {
"message" => "^#(?<time>\d.*)\n(?<command>\w.*)"
}
overwrite => ["message"]
}
grok {
match => {
"source" => ".*/(?<user>\w.*)/.*"
}
date {
match => [ "time" ,"YYYY-MM-dd HH:mm:ss" , "UNIX_MS" ]
target => "@timestamp"
locale => "en"
}
}
mutate {
remove_tag => ["beats_input_codec_plain_applied"]
add_field => { "hostname" => "%{[beat][hostname]}" }
remove_field => ["beat","prospector","offset","@version"]
}
}
}
output {
stdout {
codec => rubydebug
}
}
P/S: 日志文件
#1518426340
ls -ltrap
#1518424255
tail -f /var/log/logstash/logstash-plain.log
#1518427320
history
#1518427330
cd
1 个回复
luohuanfeng
赞同来自: