can some other timestamp field be used with +FORMAT syntax?
index => "${ELASTICSEARCH_INDEX}.%{+yyyy.MM.dd}"
the above config line would use @timestamp as the input for the format definition, but I'd like to use some other field.
Thanks!
since I don't need the default @timestamp field in the index, but would like to use the +FORMAT syntax for the index naming, I have to use the following workaround (my "local" timestamp field is server_time in ISO8601 format):
mutate {
copy => { "server_time" => "@timestamp" }
add_field => { "[@metadata][date]" => "%{+yyyy.MM.dd}" }
remove_field => [ "@version", "@timestamp", "host", ...]
}
and in the ES output:
index => "${ELASTICSEARCH_INDEX}-%{[@metadata][date]}"
would be glad if someone could share a more elegant solution.
No, it always uses @timestamp.
thanks for confirming that!
I'm asking myself: why didn't they mention this point in the documentation? Just one small sentence would save a lot of time...
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.