Replace @timestamp with Time field in my log

Sri_Divya_Ayalasomay · July 25, 2017, 6:14pm

I am trying to replace time field in my log time :
here is my config file: I am new to elastic search , tried couple of things but failed.
nput {
file{
path=>"C:\logs\testing1.csv"
start_position=>"beginning"
}
}
filter{
csv{
separator=>","
columns=>["Message","Thread","Time","Topic","Level","Interaction ID"]
}
date {
match =>{ "Time"=>[ "dd/MMM/yyyy:HH:mm:ss Z"]}
target=>"@timestamp"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index=>"itest1"
document_type=>"itest1_log"

}
stdout{}
}

magnusbaeck · July 25, 2017, 8:59pm

Please show

an example line from your CSV file and
an example output event after you've modified your stdout{} output to stdout { codec => rubydebug }.

Sri_Divya_Ayalasomay · July 26, 2017, 3:10pm

Hi Magnus,

Here is the input in my csv file:

Message Thread Time Topic Level Interaction ID

InteractionStartEvent 4580 7/25/2017 2:39:51 AM -- -- --

Time is in 7/25/2017 2:39:51 AM

This is how am writing my config file-
input {
file{
path=>"C:\logs\testing3.csv"
start_position=>"beginning"
}
}
filter{
csv{
separator=>","
columns=>["Message","Thread","Time","Topic","Level","Interaction ID"]
}
date {
match =>["Time","YYYY-MMM-dd:HH:mm:ss Z"]
target=>"@timestamp"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index=>"itest4"
document_type=>"itest4_log"

}
stdout{ codec => rubydebug}
}

magnusbaeck · August 2, 2017, 6:46pm

If your CSV file doesn't use commas to separate the columns then separator=>"," is the wrong configuration to use.

Also, you only addressed the request in the first bullet. Please always answer all questions that you're asked.

Sri_Divya_Ayalasomay · August 8, 2017, 1:22pm

Its wasnt the problem of csv file. I didnt had date in my timestamp and UTC which I parsed
It working now

system · September 5, 2017, 1:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.