logstash中的时间与服务器时间差8小时,导致@timestamp字段中的时间不对,影响后续流程处理,因此修改logstash配置文件,主要修改 filter 中的字段:
apiVersion: v1
data:
input_main: |-
input {
udp {
port => 1514
type => syslog
}
# tcp {
# port => 1514
# type => syslog
# }
redis {
host => "192.21.19.33"
password => VYaa0Ch
key => "logstash"
data_type => "list"
codec => "json"
}
}
output_main: |-
filter {
mutate {
rename => { "@tags" => "channel" }
}
ruby {
code => "event.set('timestamp', event.get('@timestamp').time.localtime + 8*60*60)"
}
ruby {
code => "event.set('@timestamp',event.get('timestamp'))"
}
mutate {
remove_field => ["timestamp"]
}
}
output {
stdout { codec => rubydebug }
elasticsearch {
hosts => ["192.168.11.38:9200"]
manage_template => false
index => "k8s-logstash-%{channel}-%{+YYYY.MM.dd}"
}
}
kind: ConfigMap
metadata:
annotations:
labels:
app: logstash
chart: logstash-0.6.3
heritage: Tiller
release: logstash
name: logstash-pipeline
namespace: elk
浙公网安备 33010602011771号