gpt4 book ai didi

Elasticsearch 将字符串视为日期

转载 作者:行者123 更新时间:2023-12-03 00:28:34 25 4
gpt4 key购买 nike

我正在尝试将 elasticsearch 与 logstash 配对使用,并将其用于存储我的 exim 日志。

特别是,我想从日志文件中提取消息 id 字段以简化对其的搜索:

  grok {
match => [
"@message", "%{DATE} %{TIME} %{HOSTNAME:msgid} %{GREEDYDATA:details}"
]
}
mutate {
gsub => [
"msgid","[\\\:-]",""
]
}

由于 elasticsearch 尝试将每个包含类似:/或 - 的符号的字符串解析为 Date,因此我将它们替换为 mutate 过滤器。

不幸的是,即使过滤后的 msg id 也不被 elasticsearch 接受,问题是为什么?
    [2013-12-24 21:32:32,823][DEBUG][action.bulk              ] [Piledriver] 
[logstash 2013.12.24][0] failed to execute bulk item (index) index
{[logstash-2013.12.24][exim][_7-j53yZRzmARuYsJEfgIA],
source[{"message":"<22>Dec 24 21:32:31 host exim[15691]:
2013-12-24 21:32:31 1VvWmN-000453-Fz Completed",
"@version":"1",
"@timestamp":"2013-12-24T21:32:31.000+03:00",
"type":"exim",
"host":"192.168.169.228",
"syslog_pri":"22",
"syslog_program":"exim",
"syslog_pid":"15691",
"received_at":"2013-12-24 18:32:31 UTC",
"received_from":"192.168.169.228",
"syslog_severity_code":6,
"syslog_facility_code":2,
"syslog_facility":"mail",
"syslog_severity":"informational",
"@source_host":"host",
"@message":"2013-12-24 21:32:31 1VvWmN-000453-Fz Completed",
"msgid":"1VvWmN000453Fz"}]}
org.elasticsearch.index.mapper.MapperParsingException: failed to parse [msgid]
at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:401)
at org.elasticsearch.index.mapper.object.ObjectMapper.serializeValue(ObjectMapper.java:613)
at org.elasticsearch.index.mapper.object.ObjectMapper.parse(ObjectMapper.java:466)
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:516)
at org.elasticsearch.index.mapper.DocumentMapper.parse(DocumentMapper.java:460)
at org.elasticsearch.index.shard.service.InternalIndexShard.prepareCreate(InternalIndexShard.java:353)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardIndexOperation(TransportShardBulkAction.java:402)
at org.elasticsearch.action.bulk.TransportShardBulkAction.shardOperationOnPrimary(TransportShardBulkAction.java:156)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$AsyncShardOperationAction.performOnPrimary(TransportShardReplicationOperationAction.java:556)
at org.elasticsearch.action.support.replication.TransportShardReplicationOperationAction$AsyncShardOperationAction$1.run(TransportShardReplicationOperationAction.java:426)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Caused by: org.elasticsearch.index.mapper.MapperParsingException: failed to parse date field [1VvWmN000453Fz], tried both date format [dateOptionalTime], and timestamp number with locale []
at org.elasticsearch.index.mapper.core.DateFieldMapper.parseStringValue(DateFieldMapper.java:487)
at org.elasticsearch.index.mapper.core.DateFieldMapper.innerParseCreateField(DateFieldMapper.java:424)
at org.elasticsearch.index.mapper.core.NumberFieldMapper.parseCreateField(NumberFieldMapper.java:194)
at org.elasticsearch.index.mapper.core.AbstractFieldMapper.parse(AbstractFieldMapper.java:390)
... 12 more
Caused by: java.lang.IllegalArgumentException: Invalid format: "1VvWmN000453Fz" is malformed at "VvWmN000453Fz"
at org.elasticsearch.common.joda.time.format.DateTimeFormatter.parseMillis(DateTimeFormatter.java:754)
at org.elasticsearch.index.mapper.core.DateFieldMapper.parseStringValue(DateFieldMapper.java:481)
... 15 more

最佳答案

如果您已将其应用于索引,请分享您的 Elasticsearch 映射。
如果没有,则共享创建索引后创建的默认映射。

您也可以尝试将默认映射作为字符串提供给 msgid

关于Elasticsearch 将字符串视为日期,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20765512/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com