Hello Community,
I have been encountering an error while trying to parse the timestamps in the log below,
To parse the above timesamps, I've attached my code and the error,
date {
match => ["created", "UNIX_MS", "UNIX"]
target => "event.idm.read_only_udm.metadata.collected_timestamp"
# on_error => "no_match"
}
Snip of error:
As per my understanding, the timestamp is in float and not matching with the date functions like "UNIX" or "UNIX_MS"
Can someone please help m to figure out this problem?
Thanks,
Sudeep
Best answer by vishnu_manu
Hello sudeep,
I tried converting the timestamp to string and it's parsing.
Here's the code snipped for your reference:
filter {
mutate {
replace => {
"event.idm.read_only_udm.metadata.event_type" => "GENERIC_EVENT"
}
}
json {
source => "message"
array_function => "split_columns"
on_error => "zerror.not_json1"
}
mutate {
convert => {
"created" => "string"
}
}
date {
match => ["created", "UNIX_MS"]
target => "event.idm.read_only_udm.metadata.collected_timestamp"
# on_error => "no_match"
}
mutate {
merge => {
"@output" => "event"
}
}
}
Hope that helps!
