Logstash修改UTC时间为东八区时间（北京时间）

logstash时间戳@timestamp修改为北京时间

input {
    beats {
        port => "5044"
    }
}
filter {
        grok {
            match => [ # 此处的^A为vim下的CTRL+A
                "message", "time\^B%{INT:timestamp}\^Aid\^B%{NOTSPACE:sn}\^Aasr\^B%{NOTSPACE:asr}\^Anlp\^B%{DATA:nlp}\^Adomain\^B%{JAVACLASS:domain}\^Aintent\^B%{NOTSPACE:intent}"
            ]
        }
        date {
            match => ["timestamp", "UNIX_MS"]
            target => "@timestamp"
        }
        ruby {
            code => "event.set('temp', event.get('@timestamp').time.localtime + 8*60*60); event.set('@timestamp', event.get('temp'))"
        }
}
output {
#    stdout { codec => rubydebug }
    file {
        codec => line {format => "%{message}"}
        path => "/home/admin/data/speech/speech.log.%{+YYYYMMdd}"
    }
    file {
        codec => line {format => "%{+YYYY-MM-dd HH:mm:ss}^A%{sn}^A%{asr}^A%{nlp}^A%{domain}^A%{intent}"}
        path => "/home/admin/data/speech/speech%{+YYYY-MM-dd}"
    }
}

logstash@timestampUTC时间修改为北京时间

filter {
    ruby {
        code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
    }
    ruby {
        code => "event.set('@timestamp',event.get('timestamp'))"
    }
    mutate {
        remove_field => ["timestamp"]
    }
}