Setting a timestamp from a JSON parsed object

Vedran_Maricevic · May 24, 2017, 7:19am

I am having an issue with setting a timestamp from a JSON parse.

I have this string (valid JSON):

[{"orderNumber":"423523-4325-3212-4235-463a72e76fe8","externalOrderNumber":"reactivate_22d6ff0d8f55eb821be14df9d35505a6","operation":{"name":"CAPTURE","amount":134,"status":"SUCCESS","createdAt":"2015-05-11T09:14:30.969Z","updatedAt":{}}}]

I parse it as a json using this Logstash filter:

grok {
match => { "message" => "[%{GREEDYDATA:firstjson}]%{SPACE} [%{GREEDYDATA:secondjson}}]}]"}
}
json{
source => "firstjson"
}
date {
match => [ "operation.createdAt", "ISO8601"]
}
mutate {
remove_field => [ "firstjson", "secondjson" ]
}
}

This creates a document inside the Elasticsearch. I have a field named operation.createdAt which is properly recognised as a date field. But for some reason, this line:

date {
match => [ "operation.createdAt", "ISO8601"]
}

is not setting @timestamp field. Current @timestamp field is set at the moment of document insertion. What am I doing wrong?

anhlqn · May 28, 2017, 4:36pm

Try this syntax?

date {
    match => [ "[operation][createdAt]", "ISO8601"]
}

I don't think you can use this syntax operation.createdAt to refer to a child field in Logstash.

Vedran_Maricevic · May 29, 2017, 7:21am

That did the trick :). Thank you

system · June 26, 2017, 7:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.