Logstash ignores my if condition

rtfm.pls · October 25, 2018, 9:08pm

Some of input log messages are in JSON format. I would like to use "time" value as "@timestamp".

This is an example of log message in JSON format :

{
  "level":30,
  "time":1531171074631,
  "msg":"hello world",
  "pid":657,
  "hostname":"Davids-MBP-3.fritz.box",
  "v":1
}

Here is my logstash configuration file:

input {
  beats {
    ...
  }
}

filter{
  json {
    source => "message"
    target => "json_message"
    skip_on_invalid_json => true
    tag_on_failure => [""]
  }

  if [json_message][time] {
    mutate {
      convert => { "[json_message][time]" => "string" }
    }

    date {
      match => ["[json_message][time]", "UNIX"]
      timezone => "UTC"
      target => "@timestamp"
    }
  }
}

output {
  elasticsearch {
    ...
  }
}

I have no luck with this configuration: key [json_message][time] still has number format and it looks like it is not used as @timestamp.

Can someone point to my mistake?

rtfm.pls · October 25, 2018, 10:23pm

Sorry, i should use "UNIX_MS" not "UNIX" time format in logstash configuration file.

warkolm · October 26, 2018, 12:07am

Thanks for sharing the solution

system · November 23, 2018, 12:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.