Filebeat - json - elastic search - decoding time stamps

motamedi791 · November 1, 2017, 2:09am

I have setup the filebeat to forward json logfiles to the elasticsearch server. Here is my filebeat configuration:

filebeat.prospectors:
- input_type: log
  paths:
    - /data/log/1.log
  json.keys_under_root: true
  json.add_error_key: true
  tail_files: false
  close_removed: true
  clean_removed: true

output.elasticsearch:
  hosts: ["http://XXXXX:9200"]
  template.enabled: true
  template.path: "/etc/filebeat/filebeat.template.json"
  template.overwrite: false
  index: "filebeat"

Everything works and the logs are parsed and stored in elasticsearch, however, the @timestamp of the elastic search is not the same as the timestamp in the file.

Here is the first line of the log file:
{"time":"2017-10-26T12:55:32.772000Z", "field1":"value1"}

and here is the entry in elasticsearch:

@timestamp:October 31st 2017, 21:54:21.687 beat.hostname:XXX beat.name:XXX beat.version:5.6.3 field1:value1 input_type:log offset:63 source:/data/log/1.log time:2017-10-26T12:55:32.772000Z type:log _id:AV91SWr9ZOS8mHYUUnB1 _type:doc _index:filebeat _score: -

Is it possible to have elasticsearch load the timestamp from the log file itself?

Christian_Dahlqvist · November 1, 2017, 12:05pm

You can do this through an ingest pipeline containing a date processor.

system · November 22, 2017, 2:10am

This topic was automatically closed after 21 days. New replies are no longer allowed.

Topic		Replies	Views
Filebeat process timestamp from JSON Beats filebeat	2	2441	June 16, 2020
Filebeat uses process time instead event time Beats filebeat	2	494	June 18, 2021
Problem with JSON logs Beats filebeat	3	558	March 9, 2019
Using index template to read a field as date Beats filebeat	5	4213	September 19, 2018
Filebeat sending json date field as text Beats filebeat	12	2968	November 12, 2018

Filebeat - json - elastic search - decoding time stamps

Related Topics