Comment obtenir TimeStamp en utilisant logstash à partir du fichier Json? Il champs de date multiples dans le JSON

Question

J'ai mon entrée JSON comme suit qui a champ de date et ont besoin d'extraire le champ de date heure de JSON,

{ 
    "Properties": { 
     "Client Name": "Chubb", 
     "Portfolio": "Chubb-Transfer" 
    }, 
"Capture": [ 
     { 
      "CaptureGUID": "caa1f5ba-1e93-4926-b3ac-e30d0d9d4cbb", 
      "HTMLPath": "Captures\\C:\\", 
      "ScreenName": "Amdocs CRM - ClearCallCenter - [Console]", 
      "TimeStamp": "20170926110036" 
      }, 
     { 
      "CaptureGUID": "0faf6b54-999f-4bfd-b8d0-e81a589f9185", 
      "HTMLPath": "Captures\\C:\\", 
      "ScreenName": "Microsoft Excel - 1.0.1 1.0.6 1.0.8 Match 3.0.6 Hit NAIC Optimized.xlsx", 
      "TimeStamp": "20170926105418" 
      } 
    ] 
} 

et My Logstash Config est comme ci-dessous, comment convertir la date de chaîne ("TimeStamp": "20170926105418") à ce jour format.Have mis à jour avec le fichier logstash complet

input { 
    file { 
     type => "json" 
     path => "C:/ELK/data/Recordings/*.json" 
     start_position => beginning 
     codec => multiline { 
      pattern => "^{" 
      negate => "true" 
      what => "previous" 
      multiline_tag => "multi_tagged" 
      max_lines => 30000 
     } 
    } 
} 
filter{ 
    date { 
     match => ["Capture.TimeStamp", "yyyyMMddHHmmss"] 
     target => "TimeStamp" 
    } 

    mutate { 
    replace => { "message" => "%{message}}" } 
    gsub => [ 'message','\n',''] 
    } 

    json { 
     source => "message" 
     remove_field => ["message"] 
    } 


} 

output { 
    elasticsearch { 
    index => "test10" 
    } 
    stdout { codec => rubydebug } 
} 

Answer 1

Retirez le filtre de date du fichier de configuration logstash. Gérez l'analyse de la date lors du mappage de l'index. Voici la cartographie de votre cas d'utilisation.

PUT json 
{ 
    "mappings": { 
    "json": { 
     "properties": { 
     "Capture": { 
      "type": "nested", 
      "properties": { 
      "CaptureGUID": { 
       "type": "text", 
       "fields": { 
       "keyword": { 
        "type": "keyword", 
        "ignore_above": 256 
       } 
       } 
      }, 
      "HTMLPath": { 
       "type": "text", 
       "fields": { 
       "keyword": { 
        "type": "keyword", 
        "ignore_above": 256 
       } 
       } 
      }, 
      "ScreenName": { 
       "type": "text", 
       "fields": { 
       "keyword": { 
        "type": "keyword", 
        "ignore_above": 256 
       } 
       } 
      }, 
      "TimeStamp": { 
       "type": "date", 
       "format": "yyyyMMddHHmmss" 
      } 
      } 
     }, 
     "Properties": { 
      "properties": { 
      "Client Name": { 
       "type": "text", 
       "fields": { 
       "keyword": { 
        "type": "keyword", 
        "ignore_above": 256 
       } 
       } 
      }, 
      "Portfolio": { 
       "type": "text", 
       "fields": { 
       "keyword": { 
        "type": "keyword", 
        "ignore_above": 256 
       } 
       } 
      } 
      } 
     } 
     } 
    } 
    } 
} 

Answer 2

ont résolu par la suite,

input { 
    file { 
     type => "json" 
     path => "C:/ELK/data/Recordings/*.json" 
     start_position => beginning 
     codec => multiline { 
      pattern => "^{" 
      negate => "true" 
      what => "previous" 
      max_lines => 30000 
     } 
    } 
} 
filter{ 

    mutate { 
    replace => { "message" => "%{message}}" } 
    gsub => [ 'message','\n',''] 
    } 

    json { 
    source => "message" 
    remove_field => ["message"] 
    } 

    date { 
    match => ["[Capture][0][TimeStamp]", "yyyyMMddHHmmss"] 
    target=> "[Capture][0]StartTime" 
    timezone => "Africa/Lome" 
    locale => "en" 
    } 


} 

output { 
    elasticsearch { 
    index => "test15" 
    } 
    stdout { codec => rubydebug } 
}