How to overwrite Log time values with @timestamp

I have created a conf file for Logstash.

input {
file {
path => "/advdata/tmp/Error_Trace_blrhpbl_SC1*.txt"
start_position => "beginning"
}
}

filter {
date {
match => [ "logdate", "YYYY/MM/DD-HH:MM:SS" ]
}
}

output {
elasticsearch {
hosts => ["localhost:9200"]
user => "elastic"
password => "changeme"
}

stdout { codec => rubydebug }
}

When i run the logstash, sample output

{
"path" => "/advdata/tmp/Error_Trace_blrhpbl_SC1_19112016.txt",
"@timestamp" => 2016-11-21T09:50:13.755Z,
"@version" => "1",
"host" => "blrvmds-03",
"message" => "blrhpbl001-bl06:2016/11/19-07:25:11.741378-57989-60661-IMS_G_PCS_CORE_277- ERROR : (CCoGxServingState.cxx:989) CCoGxServingIdle#receiveSPRReadResp: ",
"tags" => []
}

Log file has the timestamp at 2016/11/19-07:25:11, whereas @timestamp shows 2016-11-21T09:50:13.755Z (current date on logstash machine). How do i replace the @time stamp with 2016/11/19-07:25:11 ?

You will first need to parse out the logdate field, which it looks like is not done correctly. You'll need to use the grok filter to parse your message first.

thanks it is working.

This is the filter used

filter {
grok {
match => { "message" => "%{DATE_EU:date}-%{TIME:time}.[0-9]+" }
}

mutate {
gsub => [ "date","/","-" ]
add_field => { "timestamp" => "20%{date} %{time}" }
}

date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Calcutta"
locale => "en"
}
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.