@Timestamp does not appear when creating index

lfuentes · March 20, 2020, 8:51pm

Good morning, I have a problem creating an index, it happens that @timestamp does not appear to me, this is an example of the date in the log file:

####<Mar 15, 2020 11:44:28 PM CLST> <Info> <Health> <vp1mw220> <osb_Teleton02> <weblogic.GCMonitor> <<anonymous>> <> <48acf31c77bb5441:19522313:170cc2728eb:-7ffd-0000000000000033> <1584326668140> <BEA-310002> <41% of the total memory in the server is free>
####<Mar 15, 2020 11:45:28 PM CLST> <Info> <Health> <vp1mw220> <osb_Teleton02> <weblogic.GCMonitor> <<anonymous>> <> <48acf31c77bb5441:19522313:170cc2728eb:-7ffd-0000000000000033> <1584326728141> <BEA-310002> <20% of the total memory in the server is free>

This is the filter I am using:

filter {

if [document_type] == "busteleton" {

    grok {

        match => {"message" => [

            "(?m)%{COMMON_LOG:date}%{DATA:trash} <%{WORD:level}> <%{WORD:tipo}> <%{WORD:maquina}> <%{WORD:instancia}> <%{DATA:trash}> <%{DATA:trash}> <%{DATA:trash}> <%{DATA:trash}> <%{DATA:trash}> <%{DATA:bea}> %{GREEDYDATA:traza}",

            "(?m)%{COMMON_LOG:date}%{DATA:trash} <%{WORD:level}> <%{WORD:tipo}> <%{DATA:bea}> %{GREEDYDATA:traza}"

        ]}

    }

    mutate {

        add_field => { "fecha_bus" => "%{date}" }

        remove_field => ["tags","message","agent","input","type","trash","host","log","file","path","offset","ecs","version","@version"]

        rename => {"@timestamp" => "processTime"}

    }

    date {

        match => ["fecha_bus", "MMM d, yyyy hh:mm:ss aa"]

        target => "@timestamp"

    }

}

}

When I want to create an index, only "processtime" appears, please help me

Thanks

Luis

Badger · March 22, 2020, 5:23pm

I am puzzled. You change the name of the @timestamp field to processTime and then ask why you have a field called processTime instead of @timestamp. If you want both then use copy or add_field instead of rename.

lfuentes · March 22, 2020, 8:56pm

Hello friend, what happens is that I have this type of date "Mar 15, 2020 11:46:28 PM CLST" and I can not parse it, if someone can support me I would appreciate it, I could not match.

Badger · March 22, 2020, 11:29pm

CLST is not a timezone name that Joda supports. I suggest you remove it

mutate { gsub => [ "fecha_bus", " CLST$", "" ] }

and also remove the " aa" at the end of you date filter pattern.

system · April 19, 2020, 11:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.