Reference key from kv filter to use in date filter

Hello, I am using a kv filter to split text and then need to use a field from the split text as @timestamp.

Here is filter snippet from from my config file

filter {
kv { }
date {
match => ["%{start}", "UNIX"]
target => "@timestamp"
}
}

The timestamp is in field called 'start'.

Thanks in advance.

What is your question?

timestamp field is not getting replaced with value from start.

Here is a snippet of the text that the kv filter is spliting

cs7=34.0756 cs7Label=latitude cs8=-84.6477 cs8Label=longitude Customer=asdf ver= TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 start=1551914758690 request=some.some.com requestMethod=POST

You do not need a sprintf reference, just give it the name of the field. Also, [start] is in milliseconds.

date { match => ["start", "UNIX_MS"] }

Also, if you are reading CEF messages from an input then a cef codec might help you. But only if the messages are pure CEF. If there is a header or trailer the codec will not work. (Personally I would love to see a cef filter in addition to a cef codec.)

That worked. Thanks for your help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.