Hi Magnus,
Thank you very much for your quick reply.
So now, I'm trying to change the @timestamp
to the timestamp
present in my log.
My log is as below:
0.0.0.0 - - [20/Sep/2017:06:10:57 +0000] "GET /integration/spin/SWAT/scenario/launchShoot.jsp HTTP/1.0" 200 16184
This is the response i see on Kibana:
{
"_index": "test",
"_type": "log",
"_id": "someid123456-olK",
"_version": 1,
"_score": null,
"_source": {
"request": "/integration/spin/SWAT/scenario/launchShoot.jsp",
"offset": 73886,
"input_type": "log",
"verb": "GET",
"source": "\\\\localhost\\ETV_G\\logs\\wls\\intranet\\intranetNode03\\system\\access.log",
"message": "0.0.0.0 - - [20/Sep/2017:06:10:57 +0000] \"GET /integration/spin/SWAT/scenario/launchShoot.jsp HTTP/1.0\" 200 16184 ",
"type": "log",
"tags": [
"beats_input_codec_plain_applied",
"_dateparsefailure"
],
"@timestamp": "2017-09-20T06:20:24.283Z",
"response": "200",
"bytes": "16184",
"clientip": "0.0.0.0",
"@version": "1",
"beat": {
"hostname": "localhost",
"name": "localhost",
"version": "5.5.2"
},
"host": "localhost",
"httpversion": "1.0",
"timestamp": "20/Sep/2017:06:10:57 +0000"
},
"fields": {
"@timestamp": [
1505888424283
]
},
"sort": [
1505888424283
]
}
I tried the below filter, the @timestamp is still different from the log timestamp.
input {
beats {
port => 5044
host => "0.0.0.0"
}
}
# The filter part of this file is commented out to indicate that it is
# optional.
filter {
grok {
match => { "message" => ["%{COMMONAPACHELOG}"]}
#remove_field => [ "message","@timestamp" ]
}
date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss +Z" ]
target => [ "@timestamp" ]
}
#geoip {
# source => "clientip"
#}
mutate {
remove_field => [ "ident", "auth" ]
}
}
output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => "localhost:9200"
action => "index"
index => "test"
}
}