Merge indices with timestamp in epoch


(oskars) #1

Im having problems merging indices with "@timestamp" field with epoch time.

so i got indice (es.2.4) :

{
  "_source": {
    "@timestamp": "1514851163146",
     . . .
  }
}

im using logstash (tested with 2.4v and latest version) my logstash.conf looks like :

input {
  elasticsearch {
    . . .
  } 
}
filter {
  date {
    match => [ "@timestamp", "UNIX_MS"]
  }
}
output {
  elasticsearch {
    . . .
  } 
}

Error im getting is : WARN org.logstash.Event - Error parsing @timestamp string value=
Logstash adds tag: [0] "_timestampparsefailure" and field "_@timestamp" => "1512125189650"

I understand one workaround is to trim (or insert [10]"."[3]) timestamp field from 13 chars to 10 and try to use "match => [ "@timestamp", "UNIX"]" but im unable to capture "@timestamp" field before logstash parse error. I tried :

filter {
  ruby {
    code => "event.set('timestamp_new1', event.get('@timestamp'))"
  }
  mutate {
    add_field => {"timestamp_new2" => "%{@timestamp}"}
  }
}

Thanks in advance !
//Oskars


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.