Hello, I'm trying to overwrite the timestamp field with incoming log messages' timestamp, However I am unable to get it working, I have tried searching the forums but I do not find anything that solves my case, attaching configuration:
filter {
if [type] == "exim-log" {
grok {
overwrite => [ "message" ]
match => { "message" => "%{DATESTAMP:timestamp} %{GREEDYDATA:message}" }
add_tag => [ "_got_syslog_exim_timestamp" ]
}
date {
match => [ "timestamp" , "yy-MM-dd HH:mm:ss" ]
timezone => "UTC"
}
# Not everything has a MessageID but if it has lets grab it here
grok {
overwrite => [ "message" ]
patterns_dir => "/etc/logstash/patterns"
match => { "message" => "%{EXIM_MESSAGE_ID:message_id} %{GREEDYDATA:message}" }
add_tag => [ "_got_syslog_exim_msg_id" ]
remove_tag => "_grokparsefailure"
}
}
}
Example event
{
"_index": "filebeat-2017.06.29",
"_type": "exim-log",
"_id": "AVzzqtOOyDLns164PTmP",
"_score": 1,
"_source": {
"@timestamp": "2017-06-29T11:44:35.220Z",
"offset": 72175145,
"@version": "1",
"input_type": "log",
"beat": {
"hostname": "frank-MacBookPro",
"name": "frank-MacBookPro",
"version": "5.1.2"
},
"host": "frank-MacBookPro",
"message_id": "1WXXDi-XX60L-Ph",
"source": "/home/frank/logstash/mainlog.upto-20140214",
"message": "<= x@x.com H=xt.com x.v) [x] P=esmtp S=22XX id=XXXX@x.v",
"type": "exim-log",
"tags": [
"beats_input_codec_plain_applied",
"_got_syslog_exim_timestamp",
"_dateparsefailure",
"_got_syslog_exim_msg_id"
],
"timestamp": "14-02-11 10:01:34"
},
"fields": {
"@timestamp": [
1498736675220
]
}
}
Patterns file:
EXIM_MESSAGE_ID [\d\w]{6}-[\d\w]{6}-[\d\w]{2}