I'm sending SMF records from a mainframe to ELK. It's just a CSV file with a bunch of values.
Anyway, when I look at the unparsed message in kibana all of the times/dates are accurate. However after the record is parsed, the dates are 1-2 days early and the time is always at 18:00:00. The timestamp is accurate (b/c that generate by logstash/elastic)
Any idea why?
Here's my code (fyi this is from a docker container where I have the same issue).
All the parsing works as expected, only issue is the inaccurate dates/times WITHIN the fields of the record.
input {
beats {
port=>5000
}
}
## Add your filters / logstash plugins configuration here
filter {
split {
}
mutate {
add_field => {"[@metadata][indexname]" => "%{[sourceType]}-%{[sysplexName]}"}
}
mutate {
lowercase => [ "[@metadata][indexname]" ]
}
if [source] =~ "table" {
csv{ columns => [ "Correlator", "SMF30LEN", "SMF30SEG", "SMF30FLG", "SMF30RTY", "SMF30TME", "SMF30DTE", "SMF30SID", "<shortened for easier reading>" ]
separator => "," }
mutate{ add_field => {
"[@metadata][timestamp]" => "%{SMF30DTE} %{SMF30TME}"
}}
date{ match => [
"[@metadata][timestamp]", "YYYY-MM-dd HH:mm:ss:SS"
]}
}
}
output {
elasticsearch {
hosts => "elasticsearch:9200"
action => "index"
index => "cdp-%{[@metadata][indexname]}-%{+yyyyMMdd}"
}
}