With input lines like:
{"count":10, "timestamp":"2015-09-22T00:00:00.000Z"}
I am unable to fingerprint based off of the date extracted by my date filter. For fingerprint, it's exactly the same for all of my messages when based off of @timestamp but it is in-fact unique when I use the timestamp field (or count for that matter).
I was able to confirm that the @timestamp field is being created successfully off of the date filter so hopefully I'm just missing something here syntactically?
My config:
filter {
date {
match => ['timestamp', 'ISO8601']
}
# also played with checksum
# checksum {
# algorithm => 'md5' # works as expected
# }
fingerprint {
method => 'MD5'
key => '00000000'
target => 'fingerprint'
#source => [ 'timestamp' ] ## works!
#source => [ 'count' ] ## works!
source => [ '@timestamp' ] #does not work!
}
}
output {
stdout {
codec => 'json'
}
elasticsearch {
host => '127.0.0.1'
cluster => 'logstash'
document_id => '%{fingerprint}'
}
}