I'm evaluating Elastic Cloud and couldn't realize how to configure Filebeat to use the timestamp provided in my log file instead of use the time when the file is being read.
Actually, when searching on Kibana, the documents are show as this: Apr 24, 2020 @ 16:30:48.998 2020-04-24 18:48:10.455 INFO ServersManager:544 - [0176-0178-730105] Réplica tabela SYNC_STATUS: concluido. 0 recs em 0 secs
And I'd like to use as this: Apr 24, 2020 @ 18:48:10.455 INFO ServersManager:544 - [0176-0178-730105] Réplica tabela SYNC_STATUS: concluido. 0 recs em 0 secs
Hi @Regis_Oliveira, welcome to the Elastic community forums!
To achieve what you want you'll need to take two steps in your Filebeat configuration:
You'll want to parse out the timestamp portion from your log messages. For this take a look at the dissect processor. If you haven't used Filebeat processors before, you'll want to read their documentation.
Once you've parsed your timestamp into it's own field, you'll want to use it to set the @timestamp field that Kibana typically looks at for timeseries data. For this take a look at the timestamp processor.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
