filebeat ingress timestamp replace with application timestamp
I'm using filebeat and kafka and wanted to replace ingress filebeat timestamp with application timestamp. I saw few example with logstash where can we add filter but not sure with kafka.
In this code I tried to replace timestamp but application_timestamp but its not worked due to date format. but this code worked for message field. filebeat.yml config below
fields:
application_timestamp: "2023-06-07 07:49:51.196Z"
processors:
- timestamp:
field: application_timestamp
layouts:
- '2006-01-02 15:04:05.999Z'
test:
- '2019-11-18 04:59:51.123Z'
processors:
- script:
lang: javascript
id: replace_timestamp
source: >
function process(event) {
event.Put("@timestamp", event.Get("fields.application_timestamp"));
return [event];
}
this is what I'm getting
this is what I want to achieve
Solution
Updated working filebeat.yml
filebeat.inputs:
- type: log
enabled: true
tags:
- test-kafka
paths:
- /Users/Documents/kafka_testing/logs/test.log
json.keys_under_root: true
json.add_error_key: true
output.kafka:
# specifying filebeat to take timestamp and message fields, other wise it
# take the lines as json and publish to kafka
codec.format:
string: '%{[@timestamp]} %{[message]} %{[application_time]}'
# kafka
# publishing to 'test' topic
hosts: ["localhost:9092"]
topic: 'test'
partition.round_robin:
reachable_only: false
required_acks: 1
compression: gzip
max_message_bytes: 1000000
processors:
- dissect:
tokenizer: "{type:test,application_time:%{application_time}}"
target_prefix: ""
- timestamp:
field: application_time
layouts:
- '2006-01-02 15:04:05.99'
test:
- '2019-11-18 04:59:51.12'
Result/Output :-
2021-06-25T19:25:30.000Z {type:test,application_time:2021-06-25 19:25:30} 2021-06-25 19:25:30
- How to test threat intel filebeat module rule in ELK
- Filebeat how to not generate dashboards automatically
- Parsing Filebeat logs to send to Elasticsearch
- Ingesting SQL Server ErrorLog using Filebeat with the mssql module
- Filebeat over HTTPS
- Filebeat : data path already locked by another beat. Please make sure that multiple beats are not sharing the same data path
- Format of .log file in Kubernetes and how log parsed by Filebeat
- http.host: 0.0.0.0 - ERROR lookup logstash : no such host
- error setting up kubernetes autodiscover provider: couldn't discover kubernetes node due to error kubernetes
- How to add field for logsstream from specific name in elasticserach logstream
- Sending logs of (rootless) podman containers to ELK?
- Regex not worked in filebeat
- my bashrc contains strange characters (if Ä -f ü/.bash_aliases Å; then . ü/.bash_aliases fi)
- Parsing k8s docker container json log correctly with Filebeat 7.9.3
- Filebeat on Azure Kubernetes Service(AKS) with Helm
- How to make a filebeat config to collect a specific lines from a file
- Windows docker: permission denied /var/run/docker.sock
- Enabling dashboards for filebeat
- Logstash + nginx: Fields wont be added
- Why isn't my filebeats if processor working?
- Kubernetes metadata not loading into OpenSearch after EKS Upgrade
- Filebeat Cisco Module for Nexus having errors reading the config file
- Does ECK required logstash
- Filebeat not sending data to elasticsearch
- Strange error with empty delimiter in dissect processor in filebeat
- filebeat ingress timestamp replace with application timestamp
- Filebeat not creating index in Opensearch
- elastic-agent is not collecting data
- Logstash data filter for column with multiplevalues to array type
- Why is filebeat creating a new datastream everyday?