Using my own time field instead of the @timestamp automatically added by Filebeat

snowfrogdev · February 28, 2021, 2:36am

I'm using the http_endpoint input with Filebeat.

I wanna use the timestamp field from my JSON payload instead of the @timestamp that Filebeat seems to add automatically.

filebeat.inputs:
  - type: http_endpoint
    enabled: true
    listen_address: filebeat
    listen_port: 8088

output.elasticsearch:
  hosts: "${ELASTICSEARCH_HOSTS:elasticsearch:9200}"

setup.kibana:
  hosts: "kibana:5601"

When I go to the index pattern section of the stack management section, I can see that my timestamp field is typed as a string and I can't select it as the official time field.

When I try to edit the type Date is not showing as an option in the list.

This ELK stack thing is going to be the death of me. It's a really cool suite of tools (yay for open source) but not exactly easy to configure. Thanks in advance for the help.

stephenb · February 28, 2021, 3:52am

There are a few basic areas you should understand like mappings (schema), data types etc normal data store concepts etc.

But tl;dr you can use this to set the timestamp from the field in your message. (There are other ways as well but this is probably most direct)

Pay attention to date formats, dates are an important concept in time series data.

Anything of value takes some investment.

system · March 28, 2021, 3:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filebeat new timestamp field Beats filebeat	3	2601	May 29, 2018
Filebeat sending json date field as text Beats filebeat	12	2968	November 12, 2018
@timestamp in log file getting replaced by processing time Beats filebeat	7	6523	July 19, 2016
Using index template to read a field as date Beats filebeat	5	4213	September 19, 2018
Filebeat fields.yml Beats filebeat	4	4763	April 11, 2019

Using my own time field instead of the @timestamp automatically added by Filebeat

Related Topics