Log creation time is not matching with @timestamp value

Sandeep · April 25, 2024, 9:33am

Hi,

I am trying to match the log event timestamp with OpenSearch @timestamp value. It has difference in minutes. My log format is as below -

xx.xx.xxx.xxx 10.48.11.36 - - [25/Apr/2024:09:08:16 +0000] "POST /api/x/x/9e309077033/poll HTTP/1.1" 200 12 "-" "python-requests/2.31.0"
- 127.0.0.1 - - [25/Apr/2024:09:08:55 +0000] "GET /api/x/x HTTP/1.1" 401 156 "-" "curl/7.88.1"

For the first log @timestamp value is: Apr 25, 2024 @ 09:08:59.815
The second log @timestamp value is: Apr 25, 2024 @ 09:08:58.825

This is the config I am trying, but in output I always get the current timestamp rather than the value of event “timestamp”.

dissect {
        mapping => {
          "message" => '%{client_ip} %{+client_ip} %{?-} %{?-} [%{timestamp}] %{method} %{path} %{http_version} %{response} %{bytes} %{url} %{browser}'
        }
      }
      date {
        match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss ZZZ" ]
        target => "@timestamp"
      }

Someone guide me to right direction.

Thanks

gaobinlong · April 26, 2024, 1:18am

The date format you specified is not consistent with the format in the original log, the format should be dd/MMM/yyyy:HH:mm:ss Z

Topic		Replies	Views
Logstash - Parsing the JSON message with two @timestmap in the original message OpenSearch troubleshoot	6	624	August 31, 2023
Index not using timestamp for time event occurred General Feedback	2	515	October 7, 2021
@timestamp field is not using UTC OpenSearch	9	153	March 29, 2024
Dealing with @timestamp values in SQL SQL troubleshoot	3	6946	April 5, 2022
Logstash :sql_las_value is not taking the last value OpenSearch Client Libraries clients-general	1	931	November 30, 2021

Log creation time is not matching with @timestamp value

Related Topics