Logstash indexing all logs to the index of first log

apr589 · May 22, 2019, 3:56pm

Hi ,I have a log file in which first few events have a timestamp of 2019.01.13 and rest all events have a timestamp of 2019.01.14 . Now I am indexing based on @timestamp but all the events of the file are getting indexed to 2019.01.13 instead of the expected behavior of first few going to 2019.01.13 and rest to 2019.01.14. Can someone point out the issue
My conf -

input{
file {
path => "/home/av/Documents/UPI_LOGS/**/*.gz"
mode => read
type => "upi_logs"
}
}

filter {
grok {
match => { "message" =>"%{TIMESTAMP_ISO8601:timestamp} %{NUMBER:num} [%{DATA:module}] *%{LOGLEVEL:level} %{USERNAME:class} - %{GREEDYDATA:log}"}

}
    date{

    match=>["timestamp","YYYY-MM-dd HH:mm:ss.SSS"]
    target => "@timestamp"
    }

    json{

    source => "log"
    target => "parsdlog"
    }

    if "_jsonparsefailure" in [tags]
{
drop {}
}
}

output {
stdout{}
elasticsearch {
hosts => ["localhost:9200"]
index => "upi_analytics-%{+YYYY.MM.dd}"
sniffing => true
  }
}

apr589 · May 27, 2019, 10:02am

It was a problem with my indexing . Resolved now .

system · June 24, 2019, 10:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.