I am using filebeat to send data directly to an elasticsearch ingest pipeline.
The (daily) log files each have a date for the file in a header line at the beginning of the file:
` ** Application log ** Current day: 02/18/19 **`
(18:44:30.379)(04332)Message_type_1: Descriptive text of log message
(18:44:30.399)(04333)Message_type_2: Log msg received (001) 02 30 31 36 37 34 30 38 31 36 33 30 32 30 37 38 38 35 30 35
When the ingest pipeline is configured as below, I get the msg_time (as expected) as:
`"msg_time" : "23:56:18.974"`
I would like to have each msg_time value include the log file date, like:
`"msg_time" : "2019-02-18 23:56:18.974"`
How can this be done (preferably without using logstash as an intermediary)?
Thanks in advance.
======
Ingest Pipeline definition:
#!/bin/sh
curl -XPUT "http://localhost:9200/_ingest/pipeline/test" -H 'Content-Type: application/json' -d'
{
"description" : "PUT _ingest/pipeline/test: Convert test log data to indexed data",
"version" : "1",
"processors" : [
{ "grok": {
"field": "message",
"patterns": [ "\(%{TIME:msg_time}\)\(%{NUMBER:seqnum}\)%{DATA:msg_type}:%{GREEDYDATA:msg_text}" ]
}
},
{
"convert": {
"field" : "seqnum",
"type": "integer"
}
}
],
"on_failure" : [
{
"set" : {
"field" : "error",
"value" : "{{ _ingest.on_failure_message }}"
}
}
]
}'