All geek questions in one place

LogStash: how to make a copy of the @timestamp field while maintaining the same time format?

I would like to create a copy of the @timestamp field @timestamp that it uses the same format as @timestamp .

I tried the following:

 mutate { add_field => ["read_time", "%{@timestamp}"] }

but while @timestamp is in the format: 2014-08-01T18:34:46.824Z , read_time is in this format 2014-08-01 18:34:46.824 UTC

This is a problem because Kibana does not understand the "UTC" format for histograms.

Is there a way to use a date filter for this?

+6
source share
1 answer

Kibana cannot understand, because the read_time field is a string, not a timestamp! You can use ruby filter to do what you need. Just copy @timestamp into the new read_time field, and the field time is in timestamp , not a line. add_field adds a new field with a string type !

Here is my configuration:

 input { stdin{} } filter { ruby { code => "event['read_time'] = event['@timestamp']" } mutate { add_field => ["read_time_string", "%{@timestamp}"] } } output { stdout { codec => "rubydebug" } }

You can try and see the output, at the output:

 { "message" => "3243242", "@version" => "1", "@timestamp" => "2014-08-08T01:09:49.647Z", "host" => "BENLIM", "read_time" => "2014-08-08T01:09:49.647Z", "read_time_string" => "2014-08-08 01:09:49 UTC" }

Hope this helps you.

+11
source

Source: https://habr.com/ru/post/973509/

More articles:


All Articles