Date filter is not update field

Hi
Im using LS 2.3 with the following configuration:

filter {
	if [type] == "egw_total_stats" {
		grok {
			match => ["message","\[%{TIMESTAMP_ISO8601:localtimestamp}\]: %{NOTSPACE:filename} %{NUMBER:logdate} %{NOTSPACE:egw} %{NUMBER:perFileEvents}"]
			tag_on_failure => "wrong_grok_expression_total"
	}
}
	if [type] == "egw_per_project_stats" {
		grok {
			match => ["message","\[%{TIMESTAMP_ISO8601:localtimestamp}\]: %{NOTSPACE:filename} %{NUMBER:logdate} %{NOTSPACE:egw} %{NUMBER:perTenentEvents} tenant_id:%{NUMBER:tenant_id} topic:%{WORD:topic}"]
			tag_on_failure => "wrong_grok_expression_per_project"
		}
	}
	if [type] =~ "^egw.*" {
		date {
			match => ["logdate","UNIX"]
			target => "@timestamp"
		}
		date {
			match => ["localtimestamp","ISO8601"]
		}
		mutate {
			convert => [ "perTenentEvents", "integer"]
			convert => [ "perFileEvents", "integer"]
			remove_tag => ["beats_input_codec_plain_applied"]
		}
	}
}

from some reason, logdate field is not converted to date:

"@timestamp" => "2016-12-27T12:58:27.000Z",
"source" => "/efs/utils/egwCounter/perProject.log",
"offset" => 66273153,
"type" => "egw_per_project_stats",
"count" => 1,
"host" => "ip-10-24-120-10",
"tags" => ,
"localtimestamp" => "2016-12-27T12:58:27+0000",
"filename" => "201612261611.0.v2.json.log.gz",
"logdate" => "1482768660",
"perTenentEvents" => 1,
"tenant_id" => "116164",
"topic" => "defaultTenantsTopic"

anyone can help here?

thanks in advance
Ronny

You have two date filters. Even if the logdate field is parsed and stored in @timestamp the second date filter that comes immediately after will overwrite the @timestamp value with the timestamp parsed from localtimestamp.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.