@timestamp not working in filesystem input

Hello! I have same issue as described in Timestamp not being overwriten (ECS)

Solution is use deprecated input log, but what can we do with filesystem input?

I have such setup

- type: filestream
  id: some-log
  paths:
    - /path/to/logstash.log
  parsers:
    - ndjson:
      overwrite_keys: true
      message_key: "message"
      add_error_key: true

And such logs:

{"@timestamp":"2024-08-14T16:02:34.024439+00:00","@version":1,"host":"php","message":"Test message","type":"app","channel":"sms","level":"INFO","ctxt_foo":"bar","ctxt_bar":"baz"}
{"@timestamp":"2024-08-14T16:02:35.112766+00:00","@version":1,"host":"php","message":"Test message","type":"app","channel":"sms","level":"INFO","ctxt_foo":"bar","ctxt_bar":"baz"}
{"@timestamp":"2024-08-14T16:02:36.065564+00:00","@version":1,"host":"php","message":"Test message","type":"app","channel":"sms","level":"INFO","ctxt_foo":"bar","ctxt_bar":"baz"}

@timestamp value in elastic differ. If i use log input with json.overwrite_keys: true everything start working correctly, but i dont want to use deprecated component. What can i do?

Hi @wiistriker , welcome to our community.

Have you checked this migration guide? Migrate log input configurations to filestream | Filebeat Reference [8.15] | Elastic

You will probably need to create an ingest pipeline and then adjust the .yml configuration.

Example:

PUT _ingest/pipeline/update_timestamp_pipeline
{
  "description": "Pipeline to overwrite @timestamp with the value from logs",
  "processors": [
    {
      "date": {
        "field": "@timestamp",
        "target_field": "@timestamp",
        "formats": ["ISO8601"],
        "timezone": "UTC"
      }
    }
  ]
}

And, configure Filebeat to Use the Pipeline

filebeat.inputs:
  - type: filestream
    id: my-filestream-input
    paths:
      - /var/log/myapp/*.log
    parsers:
      - ndjson:
          target: ""
          overwrite_keys: true
          add_error_key: true
    pipeline: "update_timestamp_pipeline"

Hello @Alex_Salgado-Elastic. Thank you for the reply.

I didn't see that migration guide, because i start with filestream and dont have log input at my first try. so i have nothing to migrate from. But i am not really see where is information about ingest pipeline in this guide? How can this migration guilde can help me?

In my opinion is not intuitive to add pipelines for such simple use-case. Especially with arguments with the same name @timestamp. It looks little hacky as "put @timestamp field to @timestamp field".

Is there any reasons to have such behaviour? I expect that overwrite_keys: true will really override keys just like it described in documentation. Also in Step 3: Use new option names there is information that json option moved to parsers.n.ndjson so i expect overwrite_keys should work just like in log input