Add_field => [ "EventDate", "%{@timestamp}" ]

Erik_Parienty · November 2, 2015, 4:31pm

when i using add_field => [ "EventDate", "%{@timestamp}" ]

i see this

{
"@version" => "1",
"@timestamp" => "2015-11-02T16:23:57.815Z",
"type" => "blabla",
"EventDate" => "%{@timestamp}",
"Cluster" => "blabla",
"host" => "blabla",
"command" => "sudo /myscript"
}

its only happens when using add_field => [ "EventDate", "%{@timestamp}" ] in input exec on centos

theuntergeek · November 2, 2015, 6:12pm

This is because there is no field @timestamp until after the new event exits the input block. In other words, @timestamp is not a part of the event in the input block, so trying to add this field here will never work.

If you were to add a conditional and mutate filter, you can get the desired outcome:

filter {
  if [type] == "blablah" {
    mutate {
      add_field => { "EventDate" => "%{@timestamp}" }
    }
  }
}

Or something like it.

Erik_Parienty · November 3, 2015, 8:14am

Thanks a lot

Topic		Replies	Views
Why i can't add a date field Logstash	11	1044	May 14, 2018
Unable to replace @timestamp with some other field in logstash Logstash	6	2311	September 19, 2017
Add_field and then gsub in one pass is not supported? Logstash	3	1275	July 6, 2017
Logstash date filtering and event @timestamp Logstash	4	8818	July 11, 2017
Logstash update @timestamp Logstash	10	6787	April 6, 2017

Add_field => [ "EventDate", "%{@timestamp}" ]

Related topics