Works with following config now. Seems like error in kv. After I comment out kv, all works.
Do I need to install something to work with kv filter?
input {
udp {
port => 5514
type => "syslog"
}
}
filter {
mutate {
gsub =>
["message", ": ", ":",
"message", "^<[0-9][0-9][0-9]>", ""]
}
#kv {
field_split => ""," "
source => "message"
add_field => ["sourcetime", "%{date}:%{time}"]
}
#date { match => ["sourcetime","yyyy-MM-dd:HH:mm:ss"]}
}
output {
elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}