Default @timestamp not overridden

Fabrizio_Micheloni · March 23, 2017, 10:07am

Hi all!

I have the following scenario.

Example of my log

2017-03-22 16:24:49.710 | abc | def | ghi | 127.0.0.1 | | My message

I'm able to parse it properly with a grok filter and trying to override the default timestamp:

filter {
  date {
    match => ["time", "yyyy-MM-dd HH:mm:ss.SSS"]
    target => "@timestamp"
  }
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:time} \| %{WORD:trackingId} \| %{WORD:request} \| %{WORD:session} \| %{IP:client} \| %{DATA:userId} \| %{GREEDYDATA:data}" }
  }
}

Apparently, the message is parsed properly by the grok filter but the @timestamp remains the same and it's value is not set to the time in my log!

What am I doing wrong?

Thank,

Nano

magnusbaeck · March 23, 2017, 10:50am

Filters are evaluated in order so you need to put the date filter after the grok filter.

Topic		Replies	Views
Logstash timestamp issue Logstash	3	550	February 6, 2017
Logstash date filter not replacing @timestamp field Logstash	3	1289	March 4, 2017
Make @timestamp the same as Log's timestamp Logstash	4	343	June 23, 2019
How to replace @timestamp with actual log time Logstash	18	3710	September 21, 2018
Date filter issues Logstash	2	522	November 24, 2015

Default @timestamp not overridden

Related topics