Hello, i have issue with settings up Kibana and Logstash.
What actually happens.
- I setup filter date in logstash for replace @timeshtamp with my actual time from log.
- I configure an index pattern in Kibana with "Time Filter field name" => @timestamp
After this steps, "Discover page" in Kibana show me empty page (not blank) just "No results found" message (
If i remove date replacement for system field @timestamp. All work fine (
Using Dev Tools i see that @timestamp field writed correct (with my log date / time).
My filter config is:
if "api.log" in [source] {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match => { "message" => "%{BASELOG}" }
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
target => "@timestamp"
remove_field => [ "timestamp" ]
}
mutate {
replace => { "type" => "api" }
replace => { "message" => "%{msg}" }
remove_field => [ "msg" ]
}
}
my custom_patterns:
JAVATIMESTAMP %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND})
JAVALOGHEADER %{JAVATIMESTAMP:timestamp} %{LOGLEVEL:level} [%{JAVACLASS:class}]
BASELOG %{JAVALOGHEADER} - %{GREEDYDATA:msg}
one of ES records:
{
"_index": "logstash-2017.10.08",
"_type": "api",
"_id": "AV75Y5a1xVCz_fS_LhpO",
"_score": 1,
"_source": {
"hostname": "hidden",
"@timestamp": "2017-10-08T03:30:03.692Z",
"level": "TRACE",
"source": "/some/source/logs/hidden.log",
"message": "Some message: Some extra message",
"type": "api",
"class": "com.some.awesome.class.of.java"
}
}
Can some one explain me, what I'm doing wrong?
Many thanks for helping!