How to extract and use @timefield from my log file?

Question

I wish to set the @timestamp field to read timestamps from my log lines instead of using the time when it read the log how can I do this.

example log lines:

2021.04.21 00:00:00.843  INF  getBaseData: UserName = 'nou dont look', Password = 'psps', HTTPS=0
2021.04.21 00:00:00.843  INF  getBaseData: UserName = 'you bad bad', Password = 'grign', HTTPS=0
2021.04.21 00:00:00.843  INF  getBaseData: UserName = 'ayooooo', Password = 'butter sauce', HTTPS=0
2021.04.21 00:00:00.858  INF  *** BEGINNING OF ARCCore.performARCTask ***
2021.04.21 00:00:00.858  INF  *** BEGINNING OF ARCCore.ProcessTask ***
2021.04.21 00:00:01.266  INF  ARCCore.DCI4ARCSyncLogin: login successfully executed. - No error - DCI4ARCSync-CurrSessions/MaxSessions=17/400 CurrProcesses/MaxProcesses=16/250
2021.04.21 00:00:01.297  INF  ARCCore.DCI4ARCSyncLogin: login successfully executed. - No error - DCI4ARCSync-CurrSessions/MaxSessions=7/400 CurrProcesses/MaxProcesses=7/250
2021.04.21 00:00:08.165  INF  ***  BEGINNING OF SYNC ARC TO DC  ***--->bIsExternal:0
2021.04.21 00:00:08.434  INF  BOC login successfully executed.  - No Error - DCI4ARC-CurrSessions/MaxSessions=24/400 CurrProcesses/MaxProcesses=15/250
2021.04.21 00:00:08.635  INF  BOCVersionNr ==> V16.1.00.00
2021.04.21 00:00:08.804  INF  setEntitySnapshot successfully executed
2021.04.21 00:00:09.453  INF  getSnapshotList successfully executed
2021.04.21 00:00:09.461  INF  getARCVersion: ARCVersionNr ==> V16.0.00.06

I use the following tokenizers to dissect log lines :

processors:

- dissect:
    when:
      contains:
        message: "UserName"
    tokenizer: "%{timestamplog} %{+timestamplog}  %{type}  %{func}: UserName = 'ARC_%{trash1}_%{trash2}_%{trash3}, Password = '%{password}', HTTPS=%{https}"
    target_prefix: "axess"
    


- dissect:
    when:
      contains:
        message: "BOCVersionNr"
    tokenizer: "%{timestamplog} %{+timestamplog}  %{type}  BOCVersionNr ==> %{BOCversionNr|ip}"
    target_prefix: "axess"



- dissect:
    when:
      contains:
        message: "ARCVersionNr"
    tokenizer: "%{timestamplog} %{+timestamplog}  %{type}  getARCVersion: ARCVersionNr ==> %{ARCVersionNr|ip}"
    target_prefix: "axess"


- dissect:
    when:
      contains:
        message: "ERR"
    tokenizer: "%{timestamplog} %{+timestamplog}  %{type}  %{ErrMsg}"
    target_prefix: "axess"


- dissect:
    when:
      contains:
        message: "INF"
    tokenizer: "%{timestamplog} %{+timestamplog}  %{type}  %{InfMsg}"
    target_prefix: "axess"

Now what I wish to achieve is that in kibana as my @timestamp I use values from the axess.timestamplog field, so that I could apply ranges and other time related operations with the data.

Answer 1

You could use the rename processor. To remane you event into @timestamp.

If you wish to keep this information in axess.timestamplog you may want to use the copy processor.

They are many solutions, also directly in Elasticsearch by tweaking the index settings. But as you do not mention this in your question I considered it off topic.