Setup:
I recently upgraded from logstash 1.4.2-1-2c0f5a1 to Logstash 1.5.1-1. I am using the date filter to replace the @timestamp with the event time of the log. I send all input to elasticsearch and I tag certain events and send those tagged events to email output.
Scenario:
Previously the @timestamp value was being represented as a date value and now it seems to be represented as a string. I see this behavior from the stdout{codec=>rubydebug} and email output. I include the @timestamp value in my email messages. There has been no modification to my configuration file
@timestamp field in email output
Prior to upgrading: 2015-06-16 13:08:58 UTC
Post upgrading: 2015-06-17T20:54:07.000Z
need help getting @timestamp value to be display the same as it was in 1.4.2
Currently I'm outputing to three locations stdout{codec=>rubydebg}, email, and elasticsearch. Prior to the upgrade the stdout would color the date green now it is colored white. Emails now have the
This is the date filter:
date {
match => [ "eventTime", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Etc/UCT"
}
are you saying I just need to use the sprintf format for email output?
OK, how do a change a field from a string to a time object? I'm getting handed a json input with a @timestamp string. I want to use the value of that @timestamp string to set the date {}., but the match isn't working.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.