Skip to content

Commit

Permalink
Convert timezones if event.timezone is set (elastic#12311)
Browse files Browse the repository at this point in the history 
Follow up of elastic#12253
  • Loading branch information
@jsoriano
jsoriano authored May 29, 2019
1 parent d1446d4 commit 3af1f29
Show file tree
Hide file tree
Showing 14 changed files with 129 additions and 26 deletions.
10 changes: 9 additions & 1 deletion filebeat/module/elasticsearch/audit/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,18 @@
"formats": [
"ISO8601"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.audit.@timestamp"
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/elasticsearch/deprecation/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,18 @@
"formats": [
"ISO8601"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.deprecation.timestamp"
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/elasticsearch/server/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,10 +61,18 @@
"formats": [
"ISO8601"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.server.timestamp"
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/elasticsearch/slowlog/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,18 @@
"formats": [
"ISO8601"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "elasticsearch.slowlog.timestamp"
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/kafka/log/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,10 +62,18 @@
"field": "kafka.log.timestamp",
"target_field": "@timestamp",
"formats": ["yyyy-MM-dd HH:mm:ss,SSS"],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{"remove": {"field": "kafka.log.timestamp" }}
],
"on_failure" : [{
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/logstash/log/ingest/pipeline-plain.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,10 +35,18 @@
"formats": [
"ISO8601"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "logstash.log.timestamp"
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/logstash/slowlog/ingest/pipeline-plain.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,18 @@
"formats": [
"ISO8601"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": [
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/nginx/access/ingest/default.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,18 @@
"formats": [
"dd/MMM/yyyy:H:m:s Z"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "nginx.access.time"
Expand Down
9 changes: 8 additions & 1 deletion filebeat/module/nginx/error/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,16 @@
"field": "nginx.error.time",
"target_field": "@timestamp",
"formats": ["yyyy/MM/dd H:m:s"],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
}, {
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
}, {
"remove": {
"field": "nginx.error.time"
Expand Down
10 changes: 9 additions & 1 deletion filebeat/module/system/auth/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,10 +46,18 @@
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss"
],
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"ignore_failure": true
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "system.auth.timestamp"
Expand Down
9 changes: 6 additions & 3 deletions x-pack/filebeat/module/cisco/asa/ingest/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,6 @@ processors:
- date:
field: "_temp_.raw_date"
ignore_failure: true
{< if .convert_timezone >}
timezone: "{{ event.timezone }}"
{< end >}
formats:
- "MMM d HH:mm:ss"
- "MMM dd HH:mm:ss"
Expand All @@ -42,6 +39,12 @@ processors:
- "MMM dd yyyy HH:mm:ss z"
- "EEE MMM d yyyy HH:mm:ss z"
- "EEE MMM dd yyyy HH:mm:ss z"
- date:
if: "ctx.event.timezone != null"
field: "@timestamp"
formats: ["ISO8601"]
timezone: "{{ event.timezone }}"
on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]

#
# Set log.level
Expand Down
10 changes: 9 additions & 1 deletion x-pack/filebeat/module/iptables/log/ingest/pipeline.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,13 +64,21 @@
"date": {
"field": "iptables.raw_date",
"ignore_failure": true,
{< if .convert_timezone >}"timezone": "{{ event.timezone }}",{< end >}
"formats": [
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss"
]
}
},
{
"date": {
"if": "ctx.event.timezone != null",
"field": "@timestamp",
"formats": ["ISO8601"],
"timezone": "{{ event.timezone }}",
"on_failure": [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]
}
},
{
"remove": {
"field": "iptables.raw_date",
Expand Down
29 changes: 20 additions & 9 deletions x-pack/filebeat/module/panw/panos/ingest/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,33 +10,44 @@ processors:
- date:
field: "_temp_.generated_time"
ignore_failure: true
#{< if .convert_timezone >}
timezone: "{{ event.timezone }}"
#{< end >}
formats:
- "yyyy/MM/dd HH:mm:ss"
- date:
if: "ctx.event.timezone != null"
field: "@timestamp"
formats: ["ISO8601"]
timezone: "{{ event.timezone }}"
on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]

# event.created is the time the event was received at the management plane.
- date:
field: "event.created"
target_field: "event.created"
ignore_failure: true
#{< if .convert_timezone >}
timezone: "{{ event.timezone }}"
#{< end >}
formats:
- "yyyy/MM/dd HH:mm:ss"
- date:
if: "ctx.event.timezone != null && ctx.event.created != null "
field: "event.created"
target_field: "event.created"
formats: ["ISO8601"]
timezone: "{{ event.timezone }}"
on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]

# event.start (traffic only) is the time the session started.
- date:
field: "event.start"
target_field: "event.start"
ignore_failure: true
#{< if .convert_timezone >}
timezone: "{{ event.timezone }}"
#{< end >}
formats:
- "yyyy/MM/dd HH:mm:ss"
- date:
if: "ctx.event.timezone != null && ctx.event.start != null"
field: "event.start"
target_field: "event.start"
formats: ["ISO8601"]
timezone: "{{ event.timezone }}"
on_failure: [{"append": {"field": "error.message", "value": "{{ _ingest.on_failure_message }}"}}]

# convert integer fields as the output of the CSV processor is always a string.
- convert: { type: long, ignore_missing: true, field: client.bytes }
Expand Down
8 changes: 5 additions & 3 deletions x-pack/filebeat/module/rabbitmq/log/ingest/pipeline.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,15 @@ processors:
formats:
- yy-MM-dd HH:mm:ss.SSS
ignore_failure: true
#{< if .convert_timezone >}
- date:
if: "ctx.event.timezone != null"
field: "@timestamp"
formats: ["ISO8601"]
timezone: "{{ event.timezone }}"
#{< end >}
- remove:
field:
- timestamp
on_failure:
- set:
field: error.message
value: "{{ _ingest.on_failure_message }}"
value: "{{ _ingest.on_failure_message }}"

0 comments on commit 3af1f29

Please sign in to comment.