Accessing a timestamp within a json structure to be used as @timestamp

Elastic Stack Logstash
1

Hi all.

I'm currently trying to parse a json log format like that:

{"rmiCall":{"method":"jDVServer#getDocnrs","objectInfo":"jdv.server.jDVServer@53dacd14","params":["jdv.server.doc.vvdoc.VVDoc",{"PROJECT":"vvrp","WORDDOKID":"VVRP000000246.docx"}]},"@timestamp":"2019-08-12T21:00:40.613Z","rmiClient":"10.65.9.50","correlationId":"PuoJEoWVad5Xz68C"}

I want to read the existing @timestamp within the rmi_message and set it as default @timestamp with that filter:

	   json {
	      source => "message"
	      target => "rmi_message"
	   }
	   date {
	       match => ["rmi_message.@timestamp" , "yyyy-MM-dd'T'HH:mm:ss.SSS", "yyyy-MM-dd'T'HH:mm:ss.SSSZ", "ISO8601"]
	       target => "@timestamp"
	   }

But in the output the @timestamp is the current DateTime. :unamused:

{
           "host" => "jdv-logdev",
     "@timestamp" => 2019-08-22T11:33:23.562Z,
    "rmi_message" => {
           "@timestamp" => "2019-08-12T21:00:40.613Z",
            "rmiClient" => "10.65.9.50",
              "rmiCall" => {
                "method" => "jDVServer#getDocnrs",
            "objectInfo" => "jdv.server.jDVServer@53dacd14",
                "params" => [
                [0] "jdv.server.doc.vvdoc.VVDoc",
                [1] {
                      "PROJECT" => "vvrp",
                    "WORDDOKID" => "VVRP000000246.docx"
                }
            ]
        },
        "correlationId" => "PuoJEoWVad5Xz68C"
    },
        "message" => "{\"rmiCall\":{\"method\":\"jDVServer#getDocnrs\",\"objectInfo\":\"jdv.server.jDVServer@53dacd14\",\"params\":[\"jdv.server.doc.vvdoc.VVDoc\",{\"PROJECT\":\"vvrp\",\"WORDDOKID\":\"VVRP000000246.docx\"}]},\"@timestamp\":\"2019-08-12T21:00:40.613Z\",\"rmiClient\":\"10.65.9.50\",\"correlationId\":\"PuoJEoWVad5Xz68C\"}",
       "@version" => "1"
}

Who can tell me what I'm doing wrong here?

Tnx in advance.
Franco

2

That refers to a field with a dot in its name. It looks like you have an rmi_message object that contains an @timestamp field, so you should use [rmi_message][@timestamp]

3

Seems you're becoming my buddy, Badger. :wink:

2 Questions 2 Answers that solve my probs. :+1:

Tnx u verry much.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.