Set Timestamp of multiple events by one specific event

Robert_D · March 19, 2018, 10:09am

Hello

I have an application log file, containing one json-object per line. The schema of the file is this.

{
	"step": "text",
	"msg": "text",
	"tags": "array",
	"keyValues": "object"
}

The problem I have is, that there is no timestamp in each line, an because of this I use the scan-time from filebeat instead. But the real and wanted timestap is located in a specific line like this.

{
	"step":null,
	"tags":["meta","start","monitoring"],
	"msg":"",
	"keyValues":{
		"runId":"ffa067058e27dc0a26705f59e6b6965357ac4637",
		"startTime":"2018-03-19T10:25:38+01:00",
	}
}

My questtion is: Is there a way to set / update the @timestamp-field all events from this file to this "startTime"-field? And if yes, how?

Thanks in advance,
Robert

ruflin · March 21, 2018, 7:00am

This is currently not possible in Filebeat. It might be possible in the future with the rename processor: https://github.com/elastic/beats/pull/6292

For now you have to use either an ingest pipeline or Logstash to move the field around.

system · April 18, 2018, 9:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.