I'd like to upgrade logstash 1.4 to 1.5. Before my logstash server processes the actual message I copy the @timestamp to a new field in order to know when the server received the message:
mutate {
add_field => [ "receive_time", "%{@timestamp}" ]
}
In 1.5 @timestamp is now a date object which conflicts with the 1.4 (string) in elasticsearch. How do I copy and convert the @timestamp into a string in 1.5?
I can't reproduce this with Logstash 1.5.4:
$ echo hello | /opt/logstash/bin/logstash -e 'input { stdin { } } filter { mutate { add_field => { "receive_time" => "%{@timestamp}" } } } output { stdout { codec => rubydebug } }'
Logstash startup completed
{
"message" => "hello",
"@version" => "1",
"@timestamp" => "2015-10-26T18:51:17.096Z",
"host" => "hallonet",
"receive_time" => "2015-10-26T18:51:17.096Z"
}
Logstash shutdown completedSOLVED:
I was looking at the wrong place.
The problem is that elasticsearch creates a date object instead of a string. To solve this I added this to my elasticsearch output template:
"receive_time" : {
"type" : "string"
}
The only downside is that the format looks a bit different.
In logstash 1.4 it looks like "2015-10-28 15:08:09 +0100"
In logstash 1.5 it looks like "2015-10-28T14:09:49.264Z"
I guess I have to live with that.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.