Thank you Badger. Your idea was correct, but there is something wrong with the format pattern. I had to replace it with "ISO8601" to get it to work.
Now everything seems to be working and the messages are flowing through HTTP in gzip JSON packages.
Here is the final configuration for documentation purposes.
Sending conf:
output {
http {
http_compression => true
http_method => put
cacert => "../cert/server.pem"
format => "json_batch"
content_type => "application/json;charset=UTF-8"
url => "https://address.xyz:8080/organization1/env"
headers => ["Authorization", "Basic blaablaablaa"]
}
}
Receiving conf:
input {
http {
port => 8080
user => user
password => password
ssl => true
keystore => "/path/to/keystore.jks"
keystore_password => "keystore_password"
}
}
filter {
json {
source => "message"
target => "messageArray"
}
split {
field => "messageArray"
}
date {
match => [ "[messageArray][@timestamp]", "ISO8601" ]
target => "[messageArray][@timestamp]"
}
ruby {
code => '
if (event.get("messageArray"))
event.get("messageArray").each { |k,v|
event.set(k,v);
}
end
'
}
mutate {
remove_field => [ "messageArray" ]
}
}