Date filter can't read from fieldnames which contain dots (created by the JSON filter)

Elastic Stack Logstash
1

Hi

I'm having some problems reading timestamps from nested JSON fields.

Let's say I have this JSON document:

{"time" : "2020-04-15T19:17:03.195641"}

and I read it with logstash using this filter:

filter {
	json {
		source => "message"
	}
	date {
	  	match => [ "time", "ISO8601"]
	}	
}

then everyting works fine and the @timestamp is updated correctly.

But now let's say that I have a nested JSON document that looks like this:

{"subField" : {"time" : "2020-04-15T19:17:03.195641"}}

then when I index the document, the JSON input plugin creates a field called subField.time, so I would expect this config to work:

filter {
	json {
		source => "message"
	}
	date {
	  	match => [ "subField.time", "ISO8601"]
	}	
}

But this time around, the @timestamp is not read, and logstash just uses the current local time. Is there any trick to reading in timestamps from fields with dots in their name?

regards
Frimann

2

In logstash a field name can contain a dot, and if it contained a dot you would refer to it as [subField.time]. However, your field name does not contain a dot, it is an object call subField that contains a time field. In logstash that is [subField][time]

1 Like
3

That did the trick. Thanks!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.