How to set time in log as main @timestamp in elasticsearch

1
votes

Im using logstash to index some old log files in my elastic DB. i need kibana/elastic to set the timestamp from within the logfile as the main @timestamp.

Im using grok filter in the following way: %{TIMESTAMP_ISO8601:@timestamp} yet elasticsearch sets the time of indexing as the main @timestamp and not the timestamp written in the log line.

Any idea what am i doing wrong here?

Thanks

1
elasticsearchlogstashkibanalogstash-grok

1 Answers

5
votes

Use the date filter to set the @timestamp field. Extract the timestamp in whatever format it's in into a separate (temporary) field, e.g. timestamp, and feed it to the date filter. In your case you'll most likely be able to use the special ISO8601 timestamp format token.

filter {
  date {
    match => ["timestamp", "ISO8601"]
    remove_field => ["timestamp"]
  }
}