On Tuesday, September 30, 2014 at 20:31 CEST,
Matt Hughes <[email protected]> wrote:
> I have a logstash-forwarder client sending events to lumberjack ->
> elasticsearch to timestamped logstash indices. How does logstash
> decide what *day* index to put the document in. Does it look at
> @timestamp?
Yes.
> @timestamp is just generated when the document is received, correct?
> So if you logged an event on a client at 11 pm UTC but it didn't make
> it to elasticsearch until 1am UTC the next day, which index would it
> go in? Would it go in the day it was created or would it go in the
> day it got to elasticsearch?
> If the latter, is there a way to force logstash to respect a date field
> in the original log event?
You should use a 'date' filter to extract the date and time from a field
in the log message and populate the @timestamp field.
http://logstash.net/docs/1.4.2/filters/date
This is really more of a Logstash question, and there's a separate
group for that: [email protected]
--
Magnus Bäck | Software Engineer, Development Tools
[email protected] | Sony Mobile Communications
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/20140930184741.GA21595%40seldlx20533.corpusers.net.
For more options, visit https://groups.google.com/d/optout.
