Remove message and replace timestamp fields

manikandanb87 · April 1, 2020, 10:43am

Hi Experts,
I am using log stash to read my logs and I notice that the field "message" is there by default and has the complete data in it. So, I would like to remove it from my feed.

Also, I want to replace "@timestamp" with "app_timestamp". Kindly help.

{
            "message" => "JVM.128077 (437) [2020-03-31T11:56:24.569 Usercheck] c9qnpn/QLB2UyA 1610670968891559937 - (3) Sign on Code failed for user USERA@xxx.xxx.xxx.xx",
              "oprid" => "-",
               "host" => "nonpselastic",
                "pid" => "128077",
    "service_request" => "437",
            "process" => "JVM",
        "log_message" => "Sign on Code failed for user USERA@xxx.xxx.xxx.xx",
         "@timestamp" => 2020-04-01T10:31:17.279Z,
         "tuxservice" => "Usercheck",
      "TOPInstanceID" => "1610670968891559937",
           "@version" => "1",
      "app_timestamp" => "2020-03-31T11:56:24.569",
               "SRID" => "c9qnpn/QLB2UyA",
          "log_level" => "3",
               "path" => "/searchtech/logstash-7.6.1/bin/failelogin.log"
}

Badger · April 1, 2020, 3:10pm

You can remove a field using mutate

mutate { remove_field => [ "message" ] }

Use a date filter to parse app_timestamp and overwrite @timestamp.

manikandanb87 · April 1, 2020, 3:49pm

Thank you!!!

system · April 29, 2020, 3:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.