I use a friendly date format to display to my users, because @timestamp is a little ugly.
That sounds like something that should be fixed in the display layer, not by adding redundant data.
date {
add_field => [ "time", "%{+MMM dd HH:mm:ss}" ]
match => [ "%{@timestamp}", "ISO8601" ]
timezone => "UTC"
}
The first argument of the list provided to match is the name of a field as in your first example with syslog_timestamp. Here you're trying to expand the value of the @timestamp field.
P.S. when I use a mutate to add a test field that's %{@timestamp} , I get this:
2015-07-17T10:25:00.000Z
So why doesn't ISO8601 match with %{@timestamp} in my second example. I'm assuming the add_fields aren't getting processed because the match doesn't happen.
Again, match is supposed to contain the name of a field. The @timestamp field is named @timestamp and not %{@timestamp}, so you should say this instead:
match => [ "@timestamp", "ISO8601" ]
And I still think you should avoid doing this and focus on fixing the problem in the right place.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.