I am using logstash elasticsearch output plugin to create time based indices.
I create index patterns in the following way currently:
output {
# other settings
index => "server-netlogs-%{+YYYY.MM.dd}"
}
The events which I want to index have @timestamp field on them which represents the source of truth. But the %{+YYYY.MM.dd} used in creating the index pattern uses the current timestamp of the instance logstash is running on.
I wanted to know if it is possible to use @timestamp for the index as in my case real timestamp != timestamp on the event and I want the timestamp in the event to be used to index the data in ES.
The events which I want to index have @timestamp field on them which represents the source of truth. But the %{+YYYY.MM.dd} used in creating the index pattern uses the current timestamp of the instance logstash is running on.
No, %{+YYYY.MM.dd} uses the @timestamp value of each event.
Thanks for the clarification. @magnusbaeck I have a mutation filter which mutated @timestamp so I had to change the ordering of a couple of filters to make sure @timestamp is primed and it does create indices based on that. Really appreciate the swift reply.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.