Filebeat -> @timestamp as eventtime

lupolo · December 8, 2016, 7:04pm

Hi,

I have the following source log:

2016-12-08 18:56:49,666 INFO Field1="x" Field1="x1" Field3="3" Field4="4" Field5="5" Field6="x6" ............. Fieldn="xn"

It is shipped by filebeat to elasticsearch.

How can I set the event time "2016-12-08 18:56:49,666" as @timestamp?

Currently, @timestamp is equal to the time the event was indexed.

Thanks,
Lp

warkolm · December 9, 2016, 12:00am

You either need to use ingest node, or Logstash to grok the event and break out the timestamp.
Filebeat will simply send the event as it.

Topic		Replies	Views
Filebeat uses process time instead event time Beats filebeat	2	537	June 18, 2021
Filebeat new timestamp field Beats filebeat	3	2666	May 29, 2018
Having both filebeat and logstash event time in a log Elasticsearch	0	34	October 14, 2024
Timestamp is ingest timestamp, not event timestamp Logstash	6	1802	October 11, 2020
Setting @timestamp in filebeat Beats filebeat	3	17082	July 18, 2018