Im going to assume you have defined your own mapping. As such ES will try to determine the fields on its own. For data based fields it has a number of default supported formats, located in the links below. If you define your mapping for the index ahead of time you can add your own custom date format(s?), though once the index is created the existing field types can not be changed (expcet to objects but thats a different discussion).
IMO the simpliest soultion is to adjust your output to meete the ES supported format of "yyyy-MM-dd'T'HH:mm:ss" by adding the "T" in between making it a single string (no spaces). You can have as many date fields as you want, though it would be best to ensure at least one remains consistent. You could concatentate by creating a new variable or via a template. As an example using a local variable: set $.mytimestamp = $!day & "T" & $!time; In my current workings i use @recvTime and @endTime where @recvTime is equal to the time recieved by rsyslog (timegenerated) and @endTime is equal to either the result of the rsyslog property timereported or a value ive extracted using liblognorm. This lets me look at my data from an ES adminstrative perspective and from an operations/user/business perspective. Elasticsearch Date data type documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/date.html Elasticsarch Data format documentation: https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-date-format.html#strict-date-time -- View this message in context: http://rsyslog-users.1305293.n2.nabble.com/Rsyslog-to-JSON-parser-tp7591413p7591469.html Sent from the rsyslog-users mailing list archive at Nabble.com. _______________________________________________ rsyslog mailing list http://lists.adiscon.net/mailman/listinfo/rsyslog http://www.rsyslog.com/professional-services/ What's up with rsyslog? Follow https://twitter.com/rgerhards NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE THAT.
