https://discuss.elastic.co/t/f ... 51748
这怎么破?
filebeat 6.4.2 the timestamp is not right.
i use filebeat 6.4.2 to es
the time is +8 not right
my machine timezone is
Wed Oct 10 13:03:45 CST 2018
but the filebeat time write into es is like
"@timestamp" : "2018-10-10T12:58:01.000Z",
how can change it the @timestamp -8 hours .
when search this not ok.
in system.yml at /etc/filebeat/modules.d- module: system # Syslog syslog: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. var.convert_timezone: false #var.convert_timezone: true # Authorization logs auth: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. var.convert_timezone: false #var.convert_timezone: truethe var.convert_timezone use true or false when my timezone is not UTC ,it's CST?
这怎么破?
filebeat 6.4.2 the timestamp is not right.
i use filebeat 6.4.2 to es
the time is +8 not right
my machine timezone is
Wed Oct 10 13:03:45 CST 2018
but the filebeat time write into es is like
"@timestamp" : "2018-10-10T12:58:01.000Z",
how can change it the @timestamp -8 hours .
when search this not ok.
in system.yml at /etc/filebeat/modules.d- module: system # Syslog syslog: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. var.convert_timezone: false #var.convert_timezone: true # Authorization logs auth: enabled: true # Set custom paths for the log files. If left empty, # Filebeat will choose the paths depending on your OS. #var.paths: # Convert the timestamp to UTC. Requires Elasticsearch >= 6.1. var.convert_timezone: false #var.convert_timezone: truethe var.convert_timezone use true or false when my timezone is not UTC ,it's CST?
5 个回复
rochy - rochy_he
赞同来自:
你可以看一下 beat.timezone 这个字段的值
zqc0512 - andy zhou
赞同来自:
怎么破?
"@timestamp": "2018-10-10T15:25:21.000Z", 原始文件 他+8 值又没有减少,我就CAO了……
zqc0512 - andy zhou
赞同来自:
{
"description" : "testime",
"processors" : [
{
"date" : {
"field" : "@timestamp",
"target_field" : "timestamp",
"formats" : ["ISO8601"],
"timezone" : "Asia/Shanghai",
"locale" : "cn"
}
}
]
}
这是pipeline的内容
在ES中查询都不bmtimestamp这个字段……
这怎么破?
不想再套一层logstash对他处理。
@rochy
zqc0512 - andy zhou
赞同来自:
"timezone" : "CST"
我就CAO了。找了一圈。
zqc0512 - andy zhou
赞同来自:
是这下面的内容
"filebeat-6.4.2-system-syslog-pipeline" : { "processors" : [ { "grok" : { "ignore_missing" : true, "field" : "message", "patterns" : [ "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{SYSLOGHOST:system.syslog.hostname} %{DATA:system.syslog.program}(?:\\[%{POSINT:system.syslog.pid}\\])?: %{GREEDYMULTILINE:system.syslog.message}", "%{SYSLOGTIMESTAMP:system.syslog.timestamp} %{GREEDYMULTILINE:system.syslog.message}" ], "pattern_definitions" : { "GREEDYMULTILINE" : "(.|\n)*" } } }, { "remove" : { "field" : "message" } }, { "date" : { "target_field" : "@timestamp", "formats" : [ "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ], "ignore_failure" : true, "field" : "system.syslog.timestamp", "timezone" : "CST" } } ], "on_failure" : [ { "set" : { "field" : "error.message", "value" : "{{ _ingest.on_failure_message }}" } } ], "description" : "Pipeline for parsing Syslog messages." }
是这里的内容我还以为你说写个新的……