Reputation: 125
How to set time in log as main @timestamp in elasticsearch
Im using logstash to index some old log files in my elastic DB. i need kibana/elastic to set the timestamp from within the logfile as the main @timestamp.
Im using grok filter in the following way: %{TIMESTAMP_ISO8601:@timestamp} yet elasticsearch sets the time of indexing as the main @timestamp and not the timestamp written in the log line.
Any idea what am i doing wrong here?
Thanks
Upvotes: 2
Views: 3979
Answers (2)
Reputation: 1208
This worked for me.
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:tstamp}"]
}
date {
match => ["tstamp", "ISO8601"]
}
}
Upvotes: 0
Reputation: 11581
Use the date filter to set the @timestamp field. Extract the timestamp in whatever format it's in into a separate (temporary) field, e.g. timestamp, and feed it to the date filter. In your case you'll most likely be able to use the special ISO8601 timestamp format token.
filter {
date {
match => ["timestamp", "ISO8601"]
remove_field => ["timestamp"]
}
}
Upvotes: 5
Related Questions
- How to Make Epoch Time which is there in the middle of my log as @timestamp in Logstash?
- Logstash Grok Modifying and overwriting @timestamp
- Grok formatting for a custom timestamp
- Logstash - Use current date as timestamp date
- Using log timestamp as @timestamp in elasticsearch
- Writing to @timestamp in LogStash
- Update @timetamp field in logstash with custom timestamp value
- Kibana to display @timestamp field into a readable format
- Grok formatting for a custom timestamp
- How to use _timestamp in logstash elasticsearch