2
responses

Hi everyone,

I've got a box running Kibana and Elasticsearch, with the information being handed across by fluentd.  It's all working pretty well, and I've moved on to pushing Windows events through - which is where I'm struggling.

I'm using nxlog on a windows machine, and it's pushing the data directly to elasticsearch - unfortunately I cannot for love nor money get the date to be handled as a date, rather than a string; the nxlog output is:

    URL    http://192.0.0.10:9200
    ContentType application/json
    Exec   set_http_request_path(strftime($EventTime, "/windowsevents-%Y.%m.%d/" + $SourceModuleName)); delete($EventReceivedTime); rename_field("timestamp","@timestamp"); to_json();

I create a new index with a pattern of *windowsevents*\*, but the *EventTime* field is stated as a string, not a date - so I can't sort data by age.  *@timestamp* clearly isn't getting populated, as the *timestamp* field isn't being used.  Has anyone used a similar setup?  Is there a way to push the data on as a date?

Apologies if I've missed out pertinent information - it's all a bit new to me.

AskedNovember 19, 2015 - 10:22am

Answer (1)

All sorted! I'd made a mistake on the elastic config side:

https://discuss.elastic.co/t/struggling-to-specify-field-types/34964/4

Comments (1)

  • adm's picture
    (NXLog)

    This is also noted in the document Using NXLog with Elasticsearch and Kibana:

    For Kibana's time filters to work properly we will need to apply a template. This can be pushed to Elasticsearch with the following command:

    curl -XPUT localhost:9200/_template/nxlog -d '{ "template" : "nxlog*", "mappings" : { "_default_" : { "properties": { "EventTime": { "type": "date", "format": "YYYY-MM-dd HH:mm:ss" } } } } }'
    

    Glad that the elastic guys were able to help also.