We are using the following: %{SYSLOGTIMESTAMP:syslog_time} to extract the syslog date from the logs. The format of this field is Nov 16 11:43:38 in the logs.
we are trying to convert syslogtime from a string to a date with the following date filter code. Logstash is unable to do the conversion.
date {
match => [ "syslog_time",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"MMM d HH:mm:ss",
"ISO8601" ]
}
How do we get syslogtime converted to a date field?
If the date filter fails it'll log a message that points you to what part of the string it finds objectionable.
I do not see an error in the log. But elastic is still treating it as a string. Do I need to turn on debugging.
Um, wait. If you want to convert syslog_time to a timestamp you need to use the date filter's target option. By default the result is stored in the @timestamp field. Since the syslog_time field already has been mapped as a string you need to recreate the index.
In retrospect the default behavior of placing the time in @timestamp is better use case. than me original id.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.