We send multiple types of logs to Logstash and one of them uploaded JSON logs with an "@timestamp" field. Logstash tries to parse that field and when it fails it copies the value into "_@timestamp" and throws a warning message for log event.
We DO NOT want to parse that field, we are happy with the "_@timestamp" field but having a warning for every event is not feasible for us. Is there a way to suppress just those warnings? (we don't want to update logging format because we will miss other essential warnings).
I tried to rename/remove the "@timestamp" (assuming that Logstash will create a new "@timestamp" field with syslog timestamp since it is a protected field) but it didn't work and I still see logstash trying to parse the "@timestamp" from the logs. I tried the following config:
{"@message":"HTTP GET /health","@timestamp":"2021-03-13 07:05:01","@fields":{"meta":{"req":{"url":"/health","headers":{"host":"10.19.206.178:8080","user-agent":"kube-probe/1.17","accept-encoding":"gzip","connection":"close"},"method":"GET","httpVersion":"1.1","originalUrl":"/health","query":{}},"res":{"statusCode":200},"responseTime":0},"level":"info"}}
@Badger
Thank you for your reply.
Is there a way we can set the "@timestamp" to null so that it will be populated by Logstash automatically?
OR parsing the timestamp is the ONLY option for us? The reason why we don't want to parse the "@timestamp" is because there is a good chance that another application in the future will have a new format of "@timestamp" and then we will be back to square one.
I figured out the issue, the problem was that since I used the JSON filter, it automatically parses the "@timestamp" and throws the warning. I had to get a little bit creative like this:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.