Hi, im trying to parse timestamp from from log to field so I can choose it when creating new index. Date format from log is: 2020-05-19 11:03:18.954 In logstash I defined:
date{
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss.SSS"]
target => "timestamp"
}
grok pattern: %{TIMESTAMP_ISO8601:timestamp} .........
But still in index creation page I can only see @timestamp to choose. Can somebody help?
What type does the [timestamp] field have if you check it in the index management pages in kibana?
@Badger It has String type.
Ok now its working, It looks like only restarting logstash and then click on refresh button on page where you choose timestamp is not enough, I had to restart filebeat too and now I can choose timestamp from log.
Once a field in an index is a string, it will stay a string. Even if you feed elasticsearch a Logstash::Timestamp, it will convert it to a string if the field already exists. If you roll over to a new index it will start being indexed as a timestamp.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.