@dedemorton gave a workaround that prevents logstash from crashing, but i end up with a read-timestamp field with the literal string value "@timestamp" in the read_timestamp field.
So I am using this:
mutate {
add_field => { "stashed_time" => "%{[@timestamp]}" }
}
date {
match => [ "[nginx][access][time]", "dd/MMM/YYYY:H:m:s Z" ]
}
Was this a syntax change from 5.6 to 6.0.0 ? ( I am running 6.0.0-rc1 )
I am continuing the thread now, to offer a solution that seems to work with 6.0 and to ask if there was a syntax change from 5.6.
Either way, this indicates that the docs need an update, as they are renaming the @timestamp field without adding a new field - which can lead to "no timestamp field errors"
Yeah, this won't work. You need %{@timestamp} or the equivalent %{[@timestamp]}.
Either way, this indicates that the docs need an update, as they are renaming the @timestamp field without adding a new field - which can lead to "no timestamp field errors"
Yes, that's a documentation bug.
In general, do you recommend to remove the date from the default index?
I recommend keeping the @timestamp field but making sure that it contains the timestamp when the event occurred.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.