In my Pipeline I extract a timestamp. I would like to override the existing timestamp field. How would I do this?
Pipeline:
{
"description": "...",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"{TIMESTAMP_ISO8601:timestamp2}"
],
}
}
]
}
I would like timestamp2 to override the original timestamp field.
You can simply override the field name like this:
"description": "...",
"processors": [
{
"grok": {
"field": "message",
"patterns": [
"%{TIMESTAMP_ISO8601:timestamp}" <--- use timestamp here instead of timestamp2
]
}
}
]