I have 3 datetime string fileds, and i want to parse them by date filter and make the last one as the @timestamp of the doc
date {
match => ["syslog.timestamp", "MMM dd HH:mm:ss"]
target => "syslog.timestamp"
}
date {
match => ["skyeye.timestamp", "yyyy-MM-dd HH:mm:ss"]
target => "skyeye.timestamp"
}
date {
match => ["[skyeye][access_time]", "ISO8601"]
}
both syslog and skyeye are top level obejct field and this configuration works correctly.
here is my problem
if i refer to the former two filed with '[][]' format
date {
match => ["[skyeye][timestamp]", "yyyy-MM-dd HH:mm:ss"]
target => "skyeye.timestamp"
}
i will get an error message in dlq:
#<LogStash::Event:0x247e42b8>], response: {"index"=>{"_index"=>"syslog-000001", "_type"=>"doc", "_id"=>"6X23RWUBVU5Xq3uPB_7M", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [skyeye.timestamp]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2018-08-17 10:29:08\" is malformed at \" 10:29:08\""}}
but if i refer to the last filed using '.' fromat
date {
match => ["skyeye.access_time", "ISO8601"]
}
the @timestamp is no set properly
i am very confused
please help