日志文件中已经有了@timestamp字段，存入es后被logstash覆盖了

Logstash | 作者 yokv | 发布于2018年05月02日 | 阅读数：5578

分享到：QQ空间新浪微博微信 QQ好友印象笔记有道云笔记

能不能做到不改变日志文件中的@timestamp字段名，想要使用日志文件中的@timestamp

4 个回复

medcl - 今晚打老虎。

应该不会的啊，如果数据已经有@timestap 字段，不会被覆盖的，你是不是自己又加了 date filter 了，配置文件发出来看看。

yokv

input {

	beats {

		codec => "json"

		port => "5044"

	}

}



filter {

	if "nginx-access" in [tags] {

		useragent {

			target => "userAgent"

			source => "useragent"

		}

		geoip {

			source => "forwarded"

			target => "geoip"



		}

	} else if "application-log" in [tags] {



	}

}



output {

	if "nginx-access" in [tags] {

		elasticsearch {

			hosts => ["xx:9200"]

			index => "logstash-nginx-%{+YYYY.MM.dd}"

		}

	} else if "application-log" in [tags] {

		elasticsearch {

			hosts => ["xx:9200"]

			index => "logstash-application-log-%{+YYYY.MM.dd}"

		}

	}

}

版本都是6.2.4

nginx日志数据格式

{

	"@timestamp": "2018-04-28T16:26:04+08:00",

	"@version": "1",

	"host": "192.168.3.20",

	"request": "POST /xxxx HTTP/1.1",

	"client": "192.168.3.1",

	"size": "595",

	"responsetime": "1.765",

	"domain": "",

	"url": "",

	"referer": "",

	"useragent": "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36",

	"status": "200",

	"forwarded": "-",

	"cookie": "JSESSIONID=88121A21256AE973B5902357C58B4006; language=zh_CN"

}