Log with no date/time. Manual field not linking to @timestamp

Blake_2112 · July 21, 2017, 8:03pm

I have a set of logs that I would like to input into ES and analyze. The logs are flowing into ES fine but my manual 'date' field is not properly linking to @timestamp. Thus, @timestamp is the ES ingestion time, not the date of the log itself.

date {
      match => ["date", "MM/dd/yyyy"]
      timezone => "America/Chicago"
      target => "@timestamp"
              }

mutate {
  add_field => [ "date", "06/06/2017" ]

Output...

     "@timestamp" => 2017-07-21T19:31:56.329Z,
   "Avg Dur(sec)" => 0.0,
       "@version" => "1",
           "host" => "elkTest",
           "time" => "06/06/2017",

"Max Avg Dur(sec)" => 0.0

Is this not the way to do it, is there a better way, or is the format just not matching up with @timestamp.

Any guidance would be appreciated.

jordansissel · July 21, 2017, 8:18pm

Your configuration and output seem in conflict, so I'm not sure what to advise --

Your config is looking for a field called "date" but your output does not have this, it has a field called "time". Perhaps this is the problem?

Blake_2112 · July 21, 2017, 8:24pm

You are correct....I was writing this mid-update to my config.

Thus my manual field is 'date' in which I'm attempting to populate / overwrite @timestamp.

Sorry for any confusion

@timestamp
July 21st 2017, 15:19:19.651

t date
06/01/2017

magnusbaeck · July 25, 2017, 9:01pm

Filters are evaluted in order so you need to add the field prior to the date filter.

system · August 22, 2017, 9:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.