fluentd当前不支持亚秒级分辨率:https ://github.com/fluent/fluentd/issues/461
我通过使用record_reformer向所有日志消息添加新字段来存储自纪元以来的纳秒来解决此问题
例如,如果您的流利性输入如下:
#
# Syslog
#
<source>
type syslog
port 5140
bind localhost
tag syslog
</source>
#
# Tomcat log4j json output
#
<source>
type tail
path /home/foo/logs/catalina-json.out
pos_file /home/foo/logs/fluentd.pos
tag tomcat
format json
time_key @timestamp
time_format "%Y-%m-%dT%H:%M:%s.%L%Z"
</source>
然后将其更改为如下所示,并添加一个record_reformer,该记录添加一个纳秒级的字段
#
# Syslog
#
<source>
type syslog
port 5140
bind localhost
tag cleanup.syslog
</source>
#
# Tomcat log4j json output
#
<source>
type tail
path /home/foo/logs/catalina-json.out
pos_file /home/foo/logs/fluentd.pos
tag cleanup.tomcat
format json
time_key @timestamp
time_format "%Y-%m-%dT%H:%M:%s.%L%Z"
</source>
<match cleanup.**>
type record_reformer
time_nano ${t = Time.Now; ((t.to_i * 1000000000) + t.nsec).to_s}
tag ${tag_suffix[1]}
</match>
然后将time_nano字段添加到您的kibana仪表板中,并使用它而不是@timestamp进行排序,一切都会井井有条。
602392714
清零编程群