Use converted timestamp from csv like index sufix

Alexey_Nikolaev · October 21, 2021, 11:13am

Hello!
I have a lot of CISCO CDR files, about 500k. Its logs from clustef of CISCO CUCM, and I want to put it to indexes with name CUCM-CDR-{mm-yyyy}. Date I want to get from field named "dateTimeDisconnect". Can you help me out?

aaron-nimocks · October 21, 2021, 11:22am

Can you give an example of what the field dateTimeDisconnect looks like?

Alexey_Nikolaev · October 21, 2021, 11:25am

Here is - 1630999768

aaron-nimocks · October 21, 2021, 11:41am

input { generator { codec => json count => 1 lines => [ '{ "dateTimeDisconnect": "1630999768" }' ] } }
filter {
 date {
  match => [ "dateTimeDisconnect", "UNIX" ]
 }
}
output {
  elasticsearch {
    hosts => "localhost"
    index => "cucm-cdr-%{+MM-YYYY}"
  }
  stdout { codec => json }
}

Use date filter to convert field dateTimeDisconnect to a date and store in @timestamp. Then you can use the values in your index name. The cucm-cdr portion needs to be lowercased.

Index name will be cucm-cdr-09-2021 from the conf above.

Alexey_Nikolaev · October 21, 2021, 12:13pm

Thanks a lot!

system · November 18, 2021, 12:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.