#logstash

New news from newjiraissues: Philipp H created LOGSTASH-1618 - grok break_on_match not working <https://logstash.jira.com/browse/LOGSTASH-1618>;

so, i'm sure this is not a new question: but haven't been able to work out an answer - how can i ingest existing logs and have the correct timestamp?

Anyone here familiar with the kv filter? Some of my logs have a field type=foobar which is overriding the actual type I've assigned to that log source. Very annoying. I could always do away with kv and write some regex to grok it but it's rather nasty.

How is it possible to index old data in ES, e.g. data from the whole last year? Is anyone familiar with it?

newbie672: trying to do the same thing

if i nc localhost port < logfile it is ingested with the current @timestamp. trying to get it to have @timestamp as DATE and TIME

you have to use the date filter

but you need alos an existing index in ES

hi - in the docs it says you must use elastic search 0.90.3 - does this mean 0.90.3 or above?

I am using 0.90.5

without any problem

0.90.7-1 here. works

Back to the problem. Logstash normally create on index per day in ES. For example...If your indices in ES starting from Logstash-2013.11.27...what happens, if I import and parse data with logstash from 2012.11.27. How is it possible to reindex them?

For entity, I have to use the date filter to set the correct @timestamp. But I haven not an index in ES for this time, so nothing will show up.

thanks ahatfiel

newbie672: have you seen the elasticsearch input? may help. reading now for my issue also

ahhh, looks like Jordan has made a youtube for adding old logs! :)

Title: logstash: demo backfilling old logs - YouTube (at www.youtube.com)

I will take a look