From Logdate generate @timestamp

Hi,

i have a problem concerning the @timestamp.
So the timestamp should be the date from the logs and not the time filebeat read somthing into ELK.

Please find attached my Logs:

19.03.2018 19:50:55 Hostname : Message
19.03.2018 19:50:56 Hostname : Message
19.03.2018 19:50:56 Hostname : Message

My config from Logstash is the following:

filter {
        if [fields][LogEvent] == "Schnittstellen" {
                grok {
                        match => {"message" => "%{DATE:Datum} %{TIME:Uhrzeit} %{HOSTNAME:Hostname} :\ %{GREEDYDATA:message}"}
                        overwrite => ["message"]
                }
                date {
                        match => ["timestamp", ${DATE:Datum} ${TIME:Uhrzeit}]
                        target => ["@timestamp"]
                }
        }
}

I am trying to generate a timestamp from the fields DATE:Datum and TIME:Uhrzeit, but that seems to be bad formatting.

Thanks for some advice

Two problems:

• You're asking the date filter to parse a timestamp field but there is no such field.
• The date pattern is totally wrong.

Suggestion:

                grok {
                        match => {"message" => "^%{DATE:Datum} %{TIME:Uhrzeit} %{HOSTNAME:Hostname} :\ %{GREEDYDATA:message}"}
                        overwrite => ["message"]
                        add_field => {
                          "timestamp" => "%{Datum} %{Uhrzeit}"
                        }
                        remove_field => ["Datum", "Uhrzeit"]
                }
                date {
                        match => ["timestamp", "dd.MM.yyyy HH:mm:ss"]
                        target => ["@timestamp"]
                        remove_field => ["timestamp"]
                }

Thats the solution, thanks a lot.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.