Hi,
Our log files are in json format. Here is a small snippet of the file
{
"timestamp": 1608191939682,
"formatVersion": 1,
"webaclId": "69c2a78d-d849-4dca-bccd-xxx",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "ALB",
"httpSourceId": "560cxxxx-app/ALB-WAF-2/0bf0bd24bxxx",
.....
Our relevant portion of conf file looks like this
input {
s3 {
bucket => "bucket"
region => "us-east-1"
type => "type"
codec => json
access_key_id => "xx"
secret_access_key => "yy"
}
}
filter {
date {
match => [ "timestamp", "UNIX_MS" ]
}
.............
We are getting _dateparsefailure
tag on each record and our @timestamp field is the actual time of logstash processing the record (which is not what we want) and not matching with the unix timestamp that is in the log itself. Can someone help us with this?