Changing @timestamp with the date{} filter

By default, elasticsearch sets the @timestamp field to the time that the document was written into elasticsearch.  For log file data, one of the first things you’ll want to do with logstash is to set @timestamp to be the value from the log event you’re processing.

To keep this example simple, we’ll assume that you’ve already grok’ed the event and have a field called “my_timestamp” that contains the correct information from the log event, e.g. “14/Mar/2015:09:26:53 -0500”.

filter {
  date {
    match => [ 'my_timestamp', "dd/MMM/yyyy:HH:mm:ss Z" ]
    remove_field => [ 'my_timestamp' ]
  }
}

The match{} takes the “my_timestamp” field, applies it against the specified pattern, and puts the resulting date object into the @timestamp field.

Once @timestamp has been populated, we no longer need “my_timestamp”, so it is removed.

 

4 responses to “Changing @timestamp with the date{} filter

Leave a Reply

Your email address will not be published. Required fields are marked *