Logstash use JSON field date instead of @timestamp


Logstash use JSON field date instead of @timestamp



I'm facing this issue.
I'm trying to use custom JSON log date as my "usable" date instead of the @timestamp date field.



My JSON file to be processed by Logstash (comming from filebeat):


{
"start": {
"timestamp": {
"time": "Wed, 04 Apr 2018 09:36:39 GMT",
"timesecs": 1522834599
}
}
}



My logstash.yml file :


input {
beats {
port => 1337
codec => "json_lines"
}
}

filter {
date {
match => [ "time", "EEE, dd MM yyyy hh:mm:ss ZZZ" ]
}
}

output {
stdout {
codec => rubydebug
}
elasticsearch {
hosts => "localhost:9200"
index => "testing"
}
}



Also tried to :


match => [ "[start][timestamp][time]", "EEE, dd MM yyyy hh:mm:ss ZZZ" ]



Still no luck.



Any help would be welcome.



Cheers,




2 Answers
2



Got to the solution like this :


mutate {
add_field => {
"mytime" => ""
}
}

date {
match => [ "[start][timestamp][time]", "EEE, dd MMM yyyy HH:mm:ss z" ]
target => "mytime"
locale => "en"
}





you don't need mutate filter. please read my answer
– Sufiyan Ghori
2 days ago


mutate



When you match the date using date filter, it stores the matching timestamp into the given target field. If target not provided, it will simply update the @timestamp field of the event with the new matching time.


match


date


target


@timestamp


time



target



Store the matching timestamp into the given target field. If not
provided, default to updating the @timestamp field of the event.



You don't even need to create a field with mutate filter, target will automatically create a field if it doesn't exists. Besides, add_field is a common option and available for date filter as well.


mutate


target


date



So following code is enough,


date {
match => [ "[start][timestamp][time]", "EEE, dd MMM yyyy HH:mm:ss z" ]
target => "newTimeField"
locale => "en"
remove_field => [ "[start][timestamp][time]" ]
}



remove_field above is another common option available for date filter. It is used to delete old time field once its stored in a new field.


remove_field


date


time






By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Comments

Post a Comment

Popular posts from this blog

paramiko-expect timeout is happening after executing the command

paramiko-expect timeout is happening after executing the command Can someone help me why timeout is happening after executing the command .I am trying to SSH to a machine and execute a command.I want to store the result of the executed command . I have referred paramiko-timeout but i didn't get my expected result. import traceback try: import paramiko except ImportError: raise Exception("Please install paramiko , pip install paramiko") import pexpect from paramiko_expect import SSHClientInteraction def main(): HOSTNAME = "minion5.net" USERNAME = "root" PASSWORD = "help@432" PROMPT = "root@*:~$s+" try: client = paramiko.SSHClient() client.load_system_host_keys() client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) client.connect(hostname=HOSTNAME, username=USERNAME, password=PASSWORD) with SSHClientInteraction(client, timeout=20, display=True) as interact: ...
Read more

Possible Unhandled Promise Rejection (id: 0): ReferenceError: user is not defined ReferenceError: user is not defined

Possible Unhandled Promise Rejection (id: 0): ReferenceError: user is not defined ReferenceError: user is not defined I have stored data user with AsyncStorage when i want to get it, it renders null in alert and the above error in the console,i don't know why. I can not see why it returns null with user but token all is well profile.js : import React, {Component} from 'react'; import { StyleSheet, Text, View, Image, TouchableOpacity,AsyncStorage} from 'react-native'; import { Container, Content, Header,Right, Left, Body} from 'native- base'; import Feather from 'react-native-vector-icons/Feather'; export default class Profile extends Component { constructor (props){ super(props); this.state = { user: null } } componentDidMount(){ this.fetchData(); } fetchData = async() =>{ let username = await AsyncStorage.getItem('user') this.setState({ user: username }) ...
Read more

Opening a url is failing in Swift

Opening a url is failing in Swift breakpointing inside the callback and logging success shows false. I added itms-apps to my plist: LSApplicationQueriesSchemes and put this in my app delegate: func application(_ app: UIApplication, open url: URL, options: [UIApplicationOpenURLOptionsKey : Any] = [:]) -> Bool { return true } func moreTapped() { let url = NSURL(string: "itms-apps://itunes.com/developer/quantum-productions/id979315877") if #available(iOS 10.0, *) { UIApplication.shared.open(url! as URL, options: [:], completionHandler: {(success: Bool) in }) } else { UIApplication.shared.openURL(url! as URL) } } Are you testing on a real device? – rmaddy Jun 21 at 23:57 I try on a device, get "Cannot Connect to App Store". Device is online ...
Read more