Using date filter within split filter

maksimize · January 9, 2020, 10:01am

Hi All
I'm receiving batch event from azure eventhub and I am using split filter to split each event into it's own record
the problem I'm facing is that each split event has it's own datetime and I would like to use the as @timestamp

here is my filter so far but the records.time is still different from the @timestamp

filter {

      json {

        source => "message"

      }

      split {

        field => "records"

      }

      date {

        match => ["records.time", "yyyy-MM-dd'T'HH:mm:ss'.'SSSZ"]

        target => "@timestamp"

      }

    }

Badger · January 9, 2020, 4:57pm

That should almost certainly be "[records][time]"

maksimize · January 10, 2020, 2:38pm

not really I got
_dateparsefailure tag when I did that

Badger · January 10, 2020, 5:14pm

That is a good sign. It means the field you are trying to match exists, it just doesn't have the right format.

What does [records][time] look like if you use

output { stdout { codec => rubydebug } }

maksimize · January 15, 2020, 2:47pm

Thanks you for your help
now it works after I fixed time format
date {

    match => ["[records][time]", "ISO8601"]

    target => "@timestamp"

  }

system · February 12, 2020, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.