Default @timestamp not overridden

Fabrizio_Micheloni · March 23, 2017, 10:07am

Hi all!

I have the following scenario.

Example of my log

2017-03-22 16:24:49.710 | abc | def | ghi | 127.0.0.1 | | My message

I'm able to parse it properly with a grok filter and trying to override the default timestamp:

filter {
  date {
    match => ["time", "yyyy-MM-dd HH:mm:ss.SSS"]
    target => "@timestamp"
  }
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:time} \| %{WORD:trackingId} \| %{WORD:request} \| %{WORD:session} \| %{IP:client} \| %{DATA:userId} \| %{GREEDYDATA:data}" }
  }
}

Apparently, the message is parsed properly by the grok filter but the @timestamp remains the same and it's value is not set to the time in my log!

What am I doing wrong?

Thank,

Nano

magnusbaeck · March 23, 2017, 10:50am

Filters are evaluated in order so you need to put the date filter after the grok filter.

system · April 20, 2017, 10:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.