Ok. So I tried your recommendations.
Here is the modified filter:
filter {
if [type] == "syslog" {
if [logsource] in [ "solr2","SOLR3","solr1" ] {
grok {
match => { "message" => "%{SYSLOGHOST:syslog_program} %{TIMESTAMP_ISO8601:ts} %{LOGLEVEL:loglevel} %{GREEDYDATA:syslog_message}" }
add_field => [ "received_at", "%{@timestamp}" ]
add_field => [ "received_from", "%{host}" ]
}
date {
match => [ "ts", "yyyy-MM-dd HH:mm:ss.SSS" ]
timezone => "UTC"
}
}
}
}
And this is the output:
{
"@timestamp" => 2019-02-20T15:44:30.034Z,
"type" => "syslog",
"logsource" => "solr2",
"ts" => "2019-02-20 15:44:30.034",
"timestamp" => "Feb 20 16:44:30",
"loglevel" => "INFO",
"host" => "172.17.0.1",
"syslog_message" => " (searcherExecutor-12-thread-1) [ ] o.a.s.c.QuerySenderListener QuerySenderListener done.",
"received_at" => "2019-02-20T16:44:30.000Z",
"severity" => 5,
"facility" => 16,
"priority" => 133,
"severity_label" => "Notice",
"@version" => "1",
"syslog_program" => "SOLR",
"message" => "SOLR 2019-02-20 15:44:30.034 INFO (searcherExecutor-12-thread-1) [ ] o.a.s.c.QuerySenderListener QuerySenderListener done.",
"facility_label" => "local0",
"received_from" => "172.17.0.1"
}
Now how do I get the value of ts to be the timestamp that is used in ES?