Error to set custom date pattern and change value of @timestamp

I've tried to use the following code to change the value of @timestamp but I couldn't do it..

input {
   pipeline { address => crontab }

filter {
   grok {
    match => { "message" => "(?<fecha>%{MONTH}  %{MONTHNUM} %{HOUR}:%{MINUTE}:%{SECOND})"}
    tag_on_failure => ["no_date_found"]
    target => "fecha"
   date {
     match => [ "fecha", "MMM  d HH:mm:ss"]
     target => "@timestamp"
     tag_on_failure => ["_dateparsefailure"]

   mutate {
      add_field => { "[custom_index_name]" => "filebeat-logstash-%{[fields][name]}-%{+YYYY.MM.dd}" }

output {
  pipeline { send_to => elasticsearch }

The date in the messagefield is the following:
Jun 7 14:14:01

How should I set up the configuration file to get the correct value of date and put it in @timestamp field?
Thank you!

That has two spaces between MMM and d, but your example data only has one.

It's true @Badger , but after change that, the error continues... Do you know why? Thank you !

You also have a target specified as part of your grok ... this will result in any grok'ed fields being sub-fields to the specified top-level field called fecha - ie: your extracted date field will actually be in fecha.fecha. You should remove the target in the grok or if you need it, then to access the date field, your date match syntax needs to be the following - as well as taking @Badger's comment into consideration or use the recommended pattern in LS docs:

match => [ "[fecha][fecha]", "MMM dd HH:mm:ss"]`.

You can also simplify your grok match to leverage the built-in syslog time format:

match => {"message" => "%{SYSLOGTIMESTAMP:fecha}"}`

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.