Replace @timestamp to time from actual log file

Youssef_SBAI · June 9, 2020, 12:19pm

Hello it is possible to Change @timestamp to time from actual log file

I use this config

filter {
  date {
    match => ["timestamp", "ISO8601"]
  }
}

But it does not work

dadoonet · June 9, 2020, 1:00pm

What does not work?
Could you give a concrete example of the event before and after?

Youssef_SBAI · June 9, 2020, 1:04pm

My index names is logstash-2020.06.09 but the @timestamp is

Youssef_SBAI · June 9, 2020, 1:05pm

logstash not parsing @timestamp correctly, it is possible to change @timestamp to time from actual log file

Jenni · June 9, 2020, 1:29pm

Most of the people who might try to help you are not psychic. If you complain about the wrong output, you need to give us your input. If you cannot solve your problem while having all the information, you cannot expect us to solve it with only the half of it.

Youssef_SBAI · June 9, 2020, 1:32pm

my config logstash is

input {
beats  {
port => "5044"
}
}  

filter {

csv {
separator => ","
columns => ["chaine", "job", "date_plan", "statut", "date_debut", "date_fin", "serveur", "numero_passage", "application", "sous_application"]
skip_header => "true"
}

date {
match => [ "timestamp", "YYYY-MM-dd;HH:mm:ss.SSS"]
target => "@timestamp"
}

date {
match => [ "date_plan" , "YYYY-MM-dd" ]
timezone => "Europe/Paris"
}

date {
match => [ "date_debut" , "YYYY-MM-dd HH:mm:ss" ]
timezone => "Europe/Paris"
}

date {
match => [ "date_fin" , "YYYY-MM-dd HH:mm:ss" ]
timezone => "Europe/Paris"
}

mutate {
convert => { "numero_passage" => "integer" }
}
}

output {
elasticsearch {
hosts => ["http://elasticsearch:9200"]
index => "<logstash-{now/d}>"

}
stdout {
   codec => rubydebug
}
}

Jenni · June 9, 2020, 1:39pm

I hope you realize that this configuration would overwrite @timestamp again and again and again … That field is the default target of the date filter.

Youssef_SBAI · June 9, 2020, 1:43pm

I know but @timestamps is not parsing correctly with today's date

Jenni · June 9, 2020, 1:47pm

I just meant to say that, even if it would parse the date correctly, the value wouldn't be kept. (And you still haven't posted your input.)

Youssef_SBAI · June 9, 2020, 1:49pm

my config filebeat is

filebeat.inputs:
- type: log
  enabled: true
  paths:  
     - /data/volumes/monitoring/logstash/logCtrlM/poc_prode.csv

exclude_lines: ['^chaine']

output.logstash:
  hosts: ["logstash:5044"]

dadoonet · June 9, 2020, 1:53pm

Could you please indent your code correctly to make it easier to read?
Also post the first lines of your CSV file.

dadoonet · June 9, 2020, 2:02pm

Adding to @Jenni's answer the link to the documentation. Date filter plugin | Logstash Reference [8.11] | Elastic

It says:

Store the matching timestamp into the given target field. If not provided, default to updating the @timestamp field of the event.

Which means that date_fin will at the end overwrite any other parsed values for @timestamp field.

system · July 7, 2020, 2:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.