How to replace @timestamp to the log files mentioned date?

Elastic Stack Logstash
1

Hi,
i have attached the configuration file. Can please help me out to copy the LOGTIME to @timestamp.

input {
beats {
port => 5044
}
}
filter {
grok{
match => {"message" => "%{TIMESTAMP_ISO8601:LOGTIME}|%{WORD:LOGLEVEL}|%{WORD:MACHINE}|%{WORD:PROCESSID}|%{WORD:SERVICENAME}|%{WORD:PROCESS}\s+%{NUMBER:DURATION:float}\s+%{WORD:UNIT}"}
match => {"message" => "%{TIMESTAMP_ISO8601:LOGTIME}|%{WORD:LOGLEVEL}|%{WORD:MACHINE}|%{WORD:PROCESSID}|%{WORD:SERVICENAME}|[%{WORD:PROCESS}]\s+%{NUMBER:DURATION:float}\s+%{WORD:UNIT}"}
match => {"message" => "%{TIMESTAMP_ISO8601:LOGTIME}|%{WORD:LOGLEVEL}|%{WORD:MACHINE}|%{WORD:PROCESSID}|%{WORD:SERVICENAME}|(?%{WORD} %{WORD} %{WORD})\s+:\s+%{NUMBER:DURATION:float}\s+%{WORD:UNIT}"}
match => {"message" => "%{TIMESTAMP_ISO8601:LOGTIME}|%{WORD:LOGLEVEL}|%{WORD:MACHINE}|%{WORD:PROCESSID}|%{WORD:SERVICENAME}|[%{WORD:PROCESS}]"}
match => {"message" => "%{TIMESTAMP_ISO8601:LOGTIME}|%{WORD:LOGLEVEL}|%{WORD:MACHINE}|%{WORD:PROCESSID}|%{WORD:SERVICENAME}|<%{WORD:PROCESS}>"}
match => {"message" => "%{TIMESTAMP_ISO8601:LOGTIME}|%{WORD:LOGLEVEL}|%{WORD:MACHINE}|%{WORD:PROCESSID}|%{WORD:SERVICENAME}|<%{WORD:PROCESS}>\s+%{NUMBER:DURATION:float}\s+%{WORD:UNIT}"}
match => {"message" => "%{TIMESTAMP_ISO8601:LOGTIME}|%{WORD:LOGLEVEL}|%{WORD:MACHINE}|%{WORD:PROCESSID}|%{WORD:SERVICENAME}|%{GREEDYDATA:MSG}"}
}
date {
match => ["LOGTIME","ISO8601"]
target => "@timestamp"
}
}
output {
elasticsearch{
hosts => "localhost:9200"
manage_template => false
index => "finallog"
document_type => "test"
}
stdout{codec=>rubydebug}
}

image.png
image.png632×544 24.4 KB

Thanks in advance.

3 
date { match => [ "LOGTIME", "YYYY-MM-dd HH:mm:ss" ] }
4

I tried it but the datatype isn't changed to date. Its still string only..

The value of the @timestamp dnt change to my LOGTIME value..

5

LOGTIME will stay as string but @timestamp should now be equal to the date of LOGTIME.

6

Yeah I got it...
It has changed...
Thank you....

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.