Overwriting the @timestamp work on stdout but don't work on es

Tristan_D · August 7, 2020, 7:46am

I want to overwrite the @timestamp with date filter.
The result in the stdout is ok, the @timestamp is written by the log time, but there is no document written into the elasticsearch.
If I remove the date filter, the document is normally written into the elasticsearch.

The pattern
NGINX_ACCESS %{IPORHOST:remote_addr} - %{USERNAME:remote_user} \[%{HTTPDATE:timelocal}\] "%{WORD:request_method} %{DATA:request} %{DATA:http_version}" %{INT:status} %{NUMBER:body_bytes_sent} "%{DATA:http_refer}" "%{DATA:http_user_agent}" "%{NUMBER:request_time}" "%{DATA:ssl_protocol}" "%{DATA:ssl_cipher}" "%{DATA:http_x_forwarded_for}""%{DATA:upstream_addr}" "%{DATA:upstream_status}" "%{DATA:upstream_response_length}" "%{DATA:upstream_response_time}"

Here is the config file of the logstash

input {
  beats {
    port => 5044
  }
}

filter {
  grok {
    patterns_dir => "/home/dpc/elk/logstash/patterns"
    match => { "message" => "%{NGINX_ACCESS}" }
  }
  mutate {
	remove_field => [
		"upstream_addr", "ssl_cipher", "ssl_protocol", "host", "ecs", "@version",    
		"input", "http_x_forwarded_for", "http_user_agent", "http_refer", "body_bytes_sent",
		"agent", "remote_user", "input"
	]   
  }
  date {
     match => [ "timelocal", "dd/MMM/yyyy:HH:mm:ss Z" ]
     target => "@timestamp"
  }
}

output {
  elasticsearch {
    hosts => ["http://10.193.161.30:9200"]
    index => "server_log_%{+YYYY.MM.dd}"
    codec => json
  }
  stdout {
    codec => json
  }
}

This is the log
10.192.1.144 - - [14/Jan/2020:20:34:20 +0800] "POST /msxiaobing_callback HTTP/1.1" 403 47 "-" "python-requests/2.18.4" "0.004" "-" "-" "-""10.193.161.5:8080" "403" "47" "0.004"

The result of the stdout

{
    "http_version":"HTTP/1.1",
    "request":"/msxiaobing_callback",
    "request_method":"POST",
    "upstream_response_time":"0.004",
    "@timestamp":"2020-01-14T12:34:20.000Z",
    "upstream_status":"403",
    "message":"10.192.1.144 - - [14/Jan/2020:20:34:20 +0800] "POST /msxiaobing_callback HTTP/1.1" 403 47 "-" "python-requests/2.18.4" "0.004" "-" "-" "-""10.193.161.5:8080" "403" "47" "0.004"",
    "upstream_response_length":"47",
    "timelocal":"14/Jan/2020:20:34:20 +0800",
    "remote_addr":"10.192.1.144",
    "log":{
        "offset":28092,
        "file":{
            "path":"/data/dingpeichang/logs/server_access.log"
        }
    },
    "status":"403",
    "tags":[
        "beats_input_codec_plain_applied"
    ],
    "request_time":"0.004"
}

Jenni · August 7, 2020, 8:01am

Is there no error in the Logstash logs?

Tristan_D · August 7, 2020, 8:10am

There is no any error log in the logstash logs. That's why it's hard for me to solve it.
Thank you for your replying.

Jenni · August 7, 2020, 8:24am

Just to make sure: Querying your ES index like this
GET server_log_2020.01.14/_search?q=@timestamp:"2020-01-14T12:34:20.000Z"
returns nothing?

Tristan_D · August 7, 2020, 10:36am

I used the wrong index in the es.
Thank you!

system · September 4, 2020, 10:37am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Reading Epoch As @timestamp Elasticsearch	5	576	July 6, 2017
In logstash Replace elasticsearch's @timestamp with log's time Logstash	8	7300	August 21, 2018
How to overwrite Log time values with @timestamp Logstash	3	2347	December 26, 2016
@timestamp field cannot change even date filter is correct: default to YYYY.01.01 Logstash	2	702	November 26, 2017
Date filter is not overwriting to @timestamp Logstash	2	541	January 10, 2018

Overwriting the @timestamp work on stdout but don't work on es

Related topics