How to overwrite Log time values with @timestamp

Vivin_Pai · November 21, 2016, 8:55am

I have created a conf file for Logstash.

input {
file {
path => "/advdata/tmp/Error_Trace_blrhpbl_SC1*.txt"
start_position => "beginning"
}
}

filter {
date {
match => [ "logdate", "YYYY/MM/DD-HH:MM:SS" ]
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "changeme"
}

stdout { codec => rubydebug }
}

When i run the logstash, sample output

{
"path" => "/advdata/tmp/Error_Trace_blrhpbl_SC1_19112016.txt",
"@timestamp" => 2016-11-21T09:50:13.755Z,
"@version" => "1",
"host" => "blrvmds-03",
"message" => "blrhpbl001-bl06:2016/11/19-07:25:11.741378-57989-60661-IMS_G_PCS_CORE_277- ERROR : (CCoGxServingState.cxx:989) CCoGxServingIdle#receiveSPRReadResp: ",
"tags" => []
}

Log file has the timestamp at 2016/11/19-07:25:11, whereas @timestamp shows 2016-11-21T09:50:13.755Z (current date on logstash machine). How do i replace the @time stamp with 2016/11/19-07:25:11 ?

Andrew_Cholakian1 · November 21, 2016, 4:59pm

You will first need to parse out the logdate field, which it looks like is not done correctly. You'll need to use the grok filter to parse your message first.

Vivin_Pai · November 28, 2016, 7:05am

thanks it is working.

This is the filter used

filter {
grok {
match => { "message" => "%{DATE_EU:date}-%{TIME:time}.[0-9]+" }
}

mutate {
gsub => [ "date","/","-" ]
add_field => { "timestamp" => "20%{date} %{time}" }
}

date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Calcutta"
locale => "en"
}
}

system · December 26, 2016, 7:05am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.