This variable is accessible throughout your whole configuration, so what you can do is use a regex filter to parse your date out of the path, for example using grok, you could do something like that (look out: Pseudocode)if [type] == "myType" { grok { match => { "path" => "%{MY_DATE_PATTERN:myTimeStampVar}" } }}现在，您可以将变量保存在"myTimeStampVar"中，并可以在输出中使用它:With this you now have your variable in "myTimeStampVar" and you can use it in your output:elasticsearch { host => "127.0.0.1" cluster => "logstash" index => "events-%{myTimeStampVar}" }说了这么多，我不太确定你为什么需要这个?我认为最好让ES为您完成这项工作.它会知道您的日志的时间戳，并相应地对其进行索引，因此您可以轻松访问它.但是，上面的设置应该适合您，我使用了一种非常相似的方法来解析客户端名称并基于每个客户端创建子索引，例如:myIndex-％{client}-％{+ YYYY.MM.dd}Having said all this, I am not quite sure why you need this? I think it is better to have ES do the job for you. It will know the timestamp of your log and index it accordingly so you have easy access to it. However, the setup above should work for you, I used a very similar approach to parse out a client name and create sub-indexes on a per-client bases, for example: myIndex-%{client}-%{+YYYY.MM.dd}希望这会有所帮助， Artur我做了一些挖掘工作，因为我怀疑您担心您的日志由于在错误的时间解析而被放入错误的索引中?如果正确，则解决方案不是从日志文件中解析索引，而是从每个日志中解析时间戳. I did some digging because I suspect that you are worried your logs get put in the wrong index because they are parsed at the wrong time? If this is correct, the solution is not to parse the index out of the log file, but to parse the timestamp out of each log.我假设您的每个日志行都有一个时间戳.Logstash将创建一个@timestamp字段，它是当前日期.因此，这将不等于索引.但是，解决此问题的正确方法是更改​​@timestamp字段，而在日志行(已解析的行)中使用时间戳.这样，logstash将具有正确的索引并将其放在那里.I assume each log line for you has a timestamp. Logstash will create an @timestamp field which is the current date. So this would be not equal to the index. However, the correct way to solve this, is to mutate the @timestamp field and instead use the timestamp in your log line (the parsed one). That way logstash will have the correct index and put it there. 这篇关于每天在Logstash配置中为Elasticsearch创建一个新索引的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！ 上岸，阿里云！