Index name with local system date not using message @timestamp

noobtoelks · December 14, 2018, 11:31pm

Hi All,

I am new to ELK stack. I have logstash 6.5 setup using link and configuration below.

The question I have is how do I format the index name with either receive_at or current OS date?

The reasons are because the message @timestamp I got from syslog is all over the place. It has past and future timestamp. I have a curator cronjob that deletes any index older than 7 days and it is base on index naming. Hence I need the index naming to be today date format.

Thanks for the help in advance!
Newbie.

https://www.elastic.co/guide/en/logstash/current/config-examples.html

input {
  tcp {
    port => 5000
    type => syslog
  }
  udp {
    port => 5000
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

noobtoelks · December 22, 2018, 9:01pm

I was looking at this post

https://discuss.elastic.co/t/need-help-to-create-current-date-based-index-in-ls/42834

but get the follow error

[2018-12-22T20:32:21,539][ERROR][logstash.filters.ruby ] Ruby exception occurred: Direct event field references (i.e. event['field']) have been disabled in favor of using event get and set methods (e.g. event.get('field')). Please consult the Logstash 5.0 breaking changes documentation for more details.

so looking at this

https://discuss.elastic.co/t/logstash-cannot-assign-correct-date-to-log-timestamp/89249/3

here is the final working config

filter {
  ruby {
    code => 'event.set("[@metadata][now]", Time.now.strftime("%Y.%m.%d"))'
  }
}
output {
  elasticsearch {
    ...
    index => "logstash-%{[@metadata][now]}"
  }
}

system · January 19, 2019, 9:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.