trying to parse with this 
if "one-sync" in [tags] and "heart-sync" in [tags] and "edemand" in [tags] and "events" in [tags] {
date {
match => ["timestamp", "yyyy-MM-dd'T'HH:mm:ss'.'SSS'Z'"]
timezone => "GMT"
target => "@timestamp"}
log looks like this:
{"level":"debug","message":"Received resonse 4611 ","timestamp":"2022-05-26T12:06:11.079Z"}
What is the question?
Since you already have in the valid time format, use:
date {
match => [ "timestamp", "ISO8601" ]
}
Well, it doesn't seem to parse the date. It doesn't throw an error just doesn't work,
Perhaps the conditionig syntext is off ?
If there is no _dateparsefailure tag then either the source field does not exist or the conditional is preventing the date filter from processing the event.
If there is no error, that means it's fine now on LS side, recreate index pattern because time was string before, now is date.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.