when i using add_field => [ "EventDate", "%{@timestamp}" ]
i see this
{
"@version" => "1",
"@timestamp" => "2015-11-02T16:23:57.815Z",
"type" => "blabla",
"EventDate" => "%{@timestamp}",
"Cluster" => "blabla",
"host" => "blabla",
"command" => "sudo /myscript"
}
its only happens when using add_field => [ "EventDate", "%{@timestamp}" ] in input exec on centos
This is because there is no field @timestamp
until after the new event exits the input block. In other words, @timestamp
is not a part of the event in the input block, so trying to add this field here will never work.
If you were to add a conditional and mutate filter, you can get the desired outcome:
filter {
if [type] == "blablah" {
mutate {
add_field => { "EventDate" => "%{@timestamp}" }
}
}
}
Or something like it.