Default @timestamp not overridden

Fabrizio_Micheloni · March 23, 2017, 10:07am

Hi all!

I have the following scenario.

Example of my log

2017-03-22 16:24:49.710 | abc | def | ghi | 127.0.0.1 | | My message

I'm able to parse it properly with a grok filter and trying to override the default timestamp:

filter {
  date {
    match => ["time", "yyyy-MM-dd HH:mm:ss.SSS"]
    target => "@timestamp"
  }
  grok {
    match => { "message" => "%{TIMESTAMP_ISO8601:time} \| %{WORD:trackingId} \| %{WORD:request} \| %{WORD:session} \| %{IP:client} \| %{DATA:userId} \| %{GREEDYDATA:data}" }
  }
}

Apparently, the message is parsed properly by the grok filter but the @timestamp remains the same and it's value is not set to the time in my log!

What am I doing wrong?

Thank,

Nano

magnusbaeck · March 23, 2017, 10:50am

Filters are evaluated in order so you need to put the date filter after the grok filter.

system · April 20, 2017, 10:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Troubles with setting @timestamp Logstash	1	292	December 13, 2018
@timestamp not overwriten by date filter Logstash	12	4039	July 6, 2017
How to override @timestamp with your log timestamp in logstash Logstash	2	275	December 25, 2019
How to overwrite Log time values with @timestamp Logstash	3	2316	December 26, 2016
@timestamp field cannot change even date filter is correct: default to YYYY.01.01 Logstash	2	679	November 26, 2017

Default @timestamp not overridden

Related topics