#logstash

is it possible to regex match for/in the tags field? i.e. "if "/(.*)failure(.*)/" in tags?

warkolm: The gist you shared, it would re-index with the same name as you are using %{[@metadata][_index]}

will logstash create temp index, delete it and re-index again? But I wanted to modify the original index name slightly i.e making 'logstash' to 'log'

hi

i'm having some issues with timestamps, getting 2 hour offset (cause actual timestamp doesn't have Z).

according to mr. google, when no Z is present, it automatically uses UTC

i could replace tstamp to add +200 (europe), but that wouldn't work on daylightsaving calendar

hence...my question: is there any way logstash to automatically use the CORRECT timestamp?

t4nk514, you can mutate it to the timezone you expect?

I am doing this: http://pastebin.com/i9M9bNG5

Title: date { locale => "en" match => ["timestamp", "ISO8601" - Pastebin.com (at pastebin.com)

pandaadb: what about daylight saving?

I doubt you will be able to make that. I suggest changing your logging to log in UTC and then parse it as UTC

hi - i'm brand new to logstash and i'm trying to use it for logs from a custom application

the logs are json documents - one line, one json document

I mean, DST isn't even a thing really? Half the time it's not used, then the other half it is on different days

t4nk514, what you could do, but I highly do not recommend it, write your filters with if

I've done a basic input/output config file, but i find a bit tricky managing them between codecs and filters

so you do the date filter above but you could have them two. And then you go something like: If now() == Day of change THEN use the other timezone value

pandaadb: now i discovered why...docker timezone

thanks a lot!

bye

sure .. :D

_xela, do you have an example? I don't really get your question

let me go to pastebin

Title: input { udp { port => 5555 codec => json } } input { udp { - Pastebin.com (at pastebin.com)

reinstall kibana

for the application data, everything works in elasticsearch

for the bigdata not.

do you mean your bigdata is not read at all?

it's read, but

I am not sure if that's (still) true, but I believe that you can not (or should not) have multiple input output filter

[2016-04-29 13:20:01,567][DEBUG][action.bulk ] [Grotesk] [name-2016.04.29][4] failed to execute bulk item (index) index

instead you should write it with one filter

oh okay, that seems something different

when writing on file

they are fine

when sending to elastic, elastic is annoyed.

interesting. Are the index names the same?

For your app and bigdata parts I mean

as the log is not in the "message" key, but in the "data", and also the data is an hash of many key->value

that can also nested

not a leaf document

yes, same index.

good point. i could start separating them.

How do I run logstash with multiple config files?

<http://tinyurl.com/p3exuje>; (at stackoverflow.com)