Hi, I'm receiving Syslog from logstash pipeline and that doesn't have a date field. How can I manipulate the date using the system's current date by matching "message_time"?
"message_time" => "13:51:10"
You could try
mutate { replace => { "message_time" => "%{+YYYY/MM/dd} %{message_time}" } }
Note that this uses the value of [@timestamp], which may be wrong. If syslog sends a message at 23:59:59.999 then logstash will get it the next day and add the next day's date to that time. If that is a dealbreaker then you would have to write some logic in a ruby filter to determine how improbable the resulting date+time is, and how to adjust it.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.