Hi I'm facing with case that I couldn't brake the setting for timestamp for the rest of messages
here my input:
input {
generator {
lines => [
"# snapshot,66472243,20220704061503",
"list_of_count(number 0000080, abort 0, onlist yes)",
"list_of_count(number 0000100, abort 0, onlist yes)",
"list_of_count(number 0000605, abort 0, onlist yes)",
"list_of_count(number 0000605, abort 0, onlist yes)",
"list_of_count(number 0000750, abort 0, onlist yes)",
"list_of_count(number 0000905, abort 0, onlist yes)",
"list_of_count(number 0006063, abort 0, onlist yes)"
]
count => 1
}
} # input
filter {
grok {
match => { break_on_match => "true"
"message" => [ "%{DATA:count}\(%{DATA:type} %{INT:numvalue}, %{DATA:status} %{INT:statusval:int}, %{DATA:list} %{DATA:listval}\)",
"# %{DATA:activity},%{DATA:val},%{GREEDYDATA:time}" ]
}
}
date {
match => ["time", "yyyyMMddHHmmss", "yyyy-MM-dd'T'HH:mm:ss'.'SSS'Z'", "UNIX"]
timezone => "Europe/Paris"
locale => "en"
remove_field => [ "timestamp" ]
}
mutate {
remove_field => [ "host", "count", "fields", "@version", "input_type", "source", "tags", "type", "time" ]
}
} #filter
output {
stdout { codec => rubydebug{} }
} # output
as You see @timestamp was set as a target for time, but it couldn't trigger for the rest of messages besides for the first line.
{
"activity" => "snapshot",
"@timestamp" => 2022-07-04T04:15:03.000Z,
"message" => "# snapshot,66472243,20220704061503",
"sequence" => 0,
"val" => "66472243"
}
{
"status" => "abort",
"message" => "list_of_count(number 0000080, abort 0, onlist yes)",
"sequence" => 0,
"listval" => "yes",
"@timestamp" => 2022-07-11T20:56:35.991Z,
"statusval" => 0,
"numvalue" => "0000080",
"list" => "onlist"
}
{
"status" => "abort",
"message" => "list_of_count(number 0000100, abort 0, onlist yes)",
"sequence" => 0,
"listval" => "yes",
"@timestamp" => 2022-07-11T20:56:35.992Z,
"statusval" => 0,
"numvalue" => "0000100",
"list" => "onlist"
}