Add_field => [ "EventDate", "%{@timestamp}" ]

Erik_Parienty · November 2, 2015, 4:31pm

when i using add_field => [ "EventDate", "%{@timestamp}" ]

i see this

{
"@version" => "1",
"@timestamp" => "2015-11-02T16:23:57.815Z",
"type" => "blabla",
"EventDate" => "%{@timestamp}",
"Cluster" => "blabla",
"host" => "blabla",
"command" => "sudo /myscript"
}

its only happens when using add_field => [ "EventDate", "%{@timestamp}" ] in input exec on centos

theuntergeek · November 2, 2015, 6:12pm

This is because there is no field @timestamp until after the new event exits the input block. In other words, @timestamp is not a part of the event in the input block, so trying to add this field here will never work.

If you were to add a conditional and mutate filter, you can get the desired outcome:

filter {
  if [type] == "blablah" {
    mutate {
      add_field => { "EventDate" => "%{@timestamp}" }
    }
  }
}

Or something like it.

Erik_Parienty · November 3, 2015, 8:14am

Thanks a lot

Topic		Replies	Views
Add_field not working in date { } config Logstash	5	5016	July 6, 2017
How to get field value in logstash? Logstash	5	6482	July 6, 2017
Unable to replace @timestamp with some other field in logstash Logstash	6	2348	September 19, 2017
Set @timestamp manually Logstash	2	1306	July 6, 2017
Logstash can't add fields? Logstash	4	949	July 6, 2017

Add_field => [ "EventDate", "%{@timestamp}" ]

Related topics