Hi, I need to replace the @timestamp value with a field value (called SystemTime) that looks like this:
2020-03-27T16:00:40.982652300+00:00
I have tried numerous variations of mutate gsub and the date filter but it's obvious I have no idea how to do this. Can someone please give me a steer?
Thanks and regards...Paul
I have not tested it but try
date { match => [ "SystemTime", "YYYY-MM-dd'T'HH:mm:ss.SSSSSSSSSZZ" ] }Thanks for the quick response. I tried this and I get a "_dateparsefailure".
Actually, SystemTime appears like this in the console output:
"SystemTime" => [
[0] "2020-03-27T14:08:47.500000000+00:00"
]
How do I reference the array entry? I tried "SystemTime[0]" but this gives "Invalid FieldReference".
The input data is XML. I added force_array => false to the XML filter parameters, which stopped SystemTime being put into a single element array and your data filter then worked fine.
Thanks for the help.
It would be "[SystemTime][0]" if you were not using force_array => false.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.