Add_field not working in date { } config

Janet · July 17, 2015, 10:14am

I use a friendly date format to display to my users, because @timestamp is a little ugly. This config adds a time field, which works as expected:

		date {
			add_field => [ "time", "%{+MMM dd HH:mm:ss}" ]
			match => [ "syslog_timestamp", "yyyy MMM dd HH:mm:ss" ]
			timezone => "UTC"
		}

However, the add_field function fails to work in this config:

	date {
		add_field => [ "time", "%{+MMM dd HH:mm:ss}" ]
		match => [ "%{@timestamp}", "ISO8601" ]
		timezone => "UTC"
	}

I've even tried to add a static "test" field to the second date {} config, but add_field just doesn't work. This one has me scratching my head.

magnusbaeck · July 17, 2015, 10:21am

I use a friendly date format to display to my users, because @timestamp is a little ugly.

That sounds like something that should be fixed in the display layer, not by adding redundant data.

date {
  add_field => [ "time", "%{+MMM dd HH:mm:ss}" ]
  match => [ "%{@timestamp}", "ISO8601" ]
  timezone => "UTC"
}

The first argument of the list provided to match is the name of a field as in your first example with syslog_timestamp. Here you're trying to expand the value of the @timestamp field.

Janet · July 17, 2015, 10:31am

P.S. when I use a mutate to add a test field that's %{@timestamp} , I get this:

2015-07-17T10:25:00.000Z

So why doesn't ISO8601 match with %{@timestamp} in my second example. I'm assuming the add_fields aren't getting processed because the match doesn't happen.

Janet · July 17, 2015, 10:33am

P.P.S I didn't have this problem with 1.4.2

magnusbaeck · July 17, 2015, 10:36am

Again, match is supposed to contain the name of a field. The @timestamp field is named @timestamp and not %{@timestamp}, so you should say this instead:

match => [ "@timestamp", "ISO8601" ]

And I still think you should avoid doing this and focus on fixing the problem in the right place.