Closed gza closed 11 years ago
jordansissel
commented
11 years ago Reference: https://logstash.jira.com/browse/LOGSTASH-675
The new logstash schema has only one field with an "@" in it (and you aren't supposed to write to it directly, the timestamp). Given this schema change is only a few days away, is this patch still needed?
gza
commented
11 years ago One of our needs is to set @timestamp with the syslog date, this is for us the meaningful date of an event. I saw that new event class will need modification to accept that (I will propose a patch)
BTW, speaking of "direct grok to event data" : Can we imagine this : %{IP:client[ip_address]} So we could have direct grok to subhash element asign
If this last proposal suit you, I could add [] to the pattern and test it against logstash 1.2.0
jordansissel
commented
11 years ago Setting @timestamp as a string, directly, isn't supported in logstash (in fact, it'll probably cause things to break). You'll want to use the date filter to set it correctly. (use grok to pull out the timestamp text, have date parse it)
On your other proposal to support nesting, I support this. If you want to add it, I will accept the patch; otherwise, I can add it soon. Whichever you like :)
This enable the direct extract of @variable in logstash's grokfilter