Hi Everyone,
I have a problem of day change. I google and saw the following URL
My problem is that I don't want to save "index_day" tag in elasticsearch. Is there any way to remove it or ignore it.
Store the day as a subfield of @metadata, i.e. do this:
code => "event['@metadata']['index_day'] = event['timestamp_zoned_obj'].strftime('%Y.%m.%d')"
...
index => "syslog-%{[@metadata][index_day]}"
The contents of that field is ignored by outputs. But I must repeat what I said on StackOverflow:
The
@timestampfield is supposed to be in UTC. Other tools (like Kibana and Elasticsearch Curator) rely on this and you shouldn't change it unless you have a really good reason.
Put more bluntly, you are wasting your time solving a non-problem.
thanks @magnusbaeck now my problem solved and I remember what you said.