Im having problems merging indices with "@timestamp" field with epoch time.
so i got indice (es.2.4) :
{
"_source": {
"@timestamp": "1514851163146",
. . .
}
}
im using logstash (tested with 2.4v and latest version) my logstash.conf
looks like :
input {
elasticsearch {
. . .
}
}
filter {
date {
match => [ "@timestamp", "UNIX_MS"]
}
}
output {
elasticsearch {
. . .
}
}
Error im getting is : WARN org.logstash.Event - Error parsing @timestamp string value=
Logstash adds tag: [0] "_timestampparsefailure"
and field "_@timestamp" => "1512125189650"
I understand one workaround is to trim (or insert [10]"."[3]) timestamp field from 13 chars to 10 and try to use "match => [ "@timestamp", "UNIX"]" but im unable to capture "@timestamp" field before logstash parse error. I tried :
filter {
ruby {
code => "event.set('timestamp_new1', event.get('@timestamp'))"
}
mutate {
add_field => {"timestamp_new2" => "%{@timestamp}"}
}
}
Thanks in advance !
//Oskars