Time Filter field name: @timestamp

Guy_Shar · April 10, 2019, 1:57pm

Am trying to setup a graph using the date and time values from my log file.
The date and time format is as follow:
16/09/2014 11:54:55

I would like this value to be populated into the field: @timestamp, as at the moment it contains the index action time, and not the log record time.

When i create an index pattern i only presented with this field @timestamp as an option.

I have created another field in the logstash conf file: called logdate, hoping it will be available for selection, but from some reason this field type is text.

"logdate": {
      "type": "text",
      "fields": {
        "keyword": {
          "type": "keyword",
          "ignore_above": 256
        }
      }
    },

This is the logstash config of this field:
filter
{
grok{
match => {"message" => "%{GREEDYDATA:filename}: %{DATESTAMP:logdate} %{GREEDYDATA:dummy}: %{GREEDYDATA:dummy1}databaseMatch=%{GREEDYDATA:source}&EndTag=%{GREEDYDATA:dummy2}&FieldText=%{GREEDYDATA:filter}&highlight=%{GREEDYDATA:dummy3}&Text=%{GREEDYDATA:searchterms}&TotalResults=true&userID=%{GREEDYDATA:userid}&WeighFieldText="}
}
date {
match => ["logdate", "MM/dd/YYYY HH:mm:ss"]
target => "logdate"
}
}

I have two questions:

How can i set the default @timestamp value to the log file date ?
How can i get the type of the logdate to be type date as opposed to Text ?

Thanks

Badger · April 11, 2019, 12:35pm

If your field format is 16/09/2014 11:54:55, then that is "dd/MM/YYYY HH:mm:ss", not "MM/dd/YYYY HH:mm:ss".

If you want to parse that into @timestamp then remove the target option from the date filter. You can then overwrite the logdate field using a mutate filter.

system · May 9, 2019, 12:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.