I have JSON log messages sent to logstash which looks like:
{"@timestamp":"2017-08-10 11:32:14.619","level":"DEBUG","logger_name":"application","message":"Request processed in 1 ms"}
And logstash configured with:
json {
source => "message"
}
date {
match => ["@timestamp", "yyyy-MM-dd HH:mm:ss.SSS"]
timezone => "Europe/Paris"
}
But I have this warning in the logs:
[2017-08-10T11:21:16,739][WARN ][logstash.filters.json ] Unrecognized @timestamp value, setting current time to @timestamp, original in _@timestamp field {:value=>"\"2017-08-10 11:20:34.527\""}
I tried different configurations, like adding quotes around the space, renaming the field with a mutate before the date filter (which results with the same warning, and an error saying that the timestamp is missing), etc...
In the values stored in elastic search, the timestamp is the time the log was parsed and not the original (2/3 seconds after).
What am I missing?
I think the problem is that the field in the source message is named @timestamp, just like the default.
We solved it by renaming the field in the source, add changing the config to :
date {
match => ["apptimestamp", "yyyy-MM-dd HH:mm:ss.SSS"]
timezone => "Europe/Paris"
}