How di I map Timestamp to event Timestamp from filebeat thru logstash

jkingstone · February 15, 2023, 9:43am

Hi,
I want to change the @timestamp to the timestamp out of event.original or message. I don't know what I do wrong.
right now the @timestamp is the time where the filebeat logfile ist importet thru logstash into elasticsearch.

@timestamp: Feb 15, 2023 @ 10:36:22.692
event.original: 06-02-2023 13:10:58:034, INFO , ....
message: 06-02-2023 13:10:58:034, INFO , ...

in my sample.conf I try it with:
filter {
date {
match => [ "Event Time", "dd-MM-YYYY HH:mm:ss:SSS" ]
target => "@timestamp"
}
}

Thank you

Badger · February 15, 2023, 5:43pm

Are you using grok or dissect to parse the [Event Time] field from [message]? What does your configuration look like for that?

jkingstone · February 16, 2023, 8:25am

I think that's one of my problems or challenges. I entered Grok, but I suspect that this is where the error lies. I already apologize for my ignorance.

filter {
grok {
match => ["message", "%{SYSLOGBASE} %{GREEDYDATA:new_message}"]
}
date {
match => [ "Event Time", "dd-MM-YYYY HH:mm:ss:SSS" ]
target => "@timestamp"
}
}

Rios · February 16, 2023, 7:52pm

This is not assigned, should be %{SYSLOGBASE:[@metadata][EventTime]}

date {
  match => [ "[@metadata][EventTime]", "dd-MM-YYYY HH:mm:ss:SSS" ]
  target => "@timestamp"
}

Badger · February 16, 2023, 9:05pm

Also, the message format is not going to match SYSLOGBASE. That expects %{MONTH} +%{MONTHDAY} %{TIME}, whereas the [message] field appears to match ISO8601.

jkingstone · February 17, 2023, 7:13am

Thank you for the info, but what or how do I have to enter it then?

Rios · February 17, 2023, 8:53am

%{DATESTAMP:[@metadata][EventTime]},%{SPACE}%{LOGLEVEL:loglevel}

jkingstone · February 17, 2023, 1:23pm

I have now updated my Filter, but in Elasticsearch the cells are empty.

filter {
grok {
match => { "message" => %{DATESTAMP:[@metadata][EventTime]},%{SPACE}%{LOGLEVEL:loglevel, %{GREEDYDATA:message}"}
}
date {
match => [ "timestamp", "dd-MM-yyyy HH:mm:ss:SSS" ]
target => "@timestamp"
}
}

Rios · February 17, 2023, 3:17pm

[@metadata][EventTime] in date:

filter {
grok {
  match => { "message" => "%{DATESTAMP:[@metadata][EventTime]},%{SPACE}%{LOGLEVEL:loglevel, %{GREEDYDATA:message}" }
}
date {
match => [ "[@metadata][EventTime]", "dd-MM-yyyy HH:mm:ss:SSS" ]
target => "@timestamp"
}

}

jkingstone · February 21, 2023, 6:23am

Thank you, that works

system · March 21, 2023, 6:23am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.