Index name with local system date not using message @timestamp

noobtoelks · December 14, 2018, 11:31pm

Hi All,

I am new to ELK stack. I have logstash 6.5 setup using link and configuration below.

The question I have is how do I format the index name with either receive_at or current OS date?

The reasons are because the message @timestamp I got from syslog is all over the place. It has past and future timestamp. I have a curator cronjob that deletes any index older than 7 days and it is base on index naming. Hence I need the index naming to be today date format.

Thanks for the help in advance!
Newbie.

https://www.elastic.co/guide/en/logstash/current/config-examples.html

input {
  tcp {
    port => 5000
    type => syslog
  }
  udp {
    port => 5000
    type => syslog
  }
}

filter {
  if [type] == "syslog" {
    grok {
      match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
    }
    date {
      match => [ "syslog_timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
    }
  }
}

output {
  elasticsearch { hosts => ["localhost:9200"] }
  stdout { codec => rubydebug }
}

noobtoelks · December 22, 2018, 9:01pm

I was looking at this post

https://discuss.elastic.co/t/need-help-to-create-current-date-based-index-in-ls/42834

but get the follow error

[2018-12-22T20:32:21,539][ERROR][logstash.filters.ruby ] Ruby exception occurred: Direct event field references (i.e. event['field']) have been disabled in favor of using event get and set methods (e.g. event.get('field')). Please consult the Logstash 5.0 breaking changes documentation for more details.

so looking at this

https://discuss.elastic.co/t/logstash-cannot-assign-correct-date-to-log-timestamp/89249/3

here is the final working config

filter {
  ruby {
    code => 'event.set("[@metadata][now]", Time.now.strftime("%Y.%m.%d"))'
  }
}
output {
  elasticsearch {
    ...
    index => "logstash-%{[@metadata][now]}"
  }
}

system · January 19, 2019, 9:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Index name from log date not from system time Logstash	5	3319	September 14, 2017
Logstash creating day based indexes Logstash	5	1138	July 6, 2017
IndexName with current date Logstash	3	19554	July 6, 2017
Logstash Output to Elasticsearch using todays date instead of @timestamp Logstash	6	2693	June 3, 2020
Logstash output Indexname with old Date Logstash	6	10966	April 12, 2018

Index name with local system date not using message @timestamp

Related topics