From 72acd46a31721a773550c72566fb107d97833a5c Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Sun, 23 Sep 2018 17:02:19 -0400
Subject: [PATCH] Use correct parsed timestamp

At the moment, we're adding an extra field called "logdate" rather
than using the built-in timestamp.  This makes things go to the
right field.

Change-Id: I5e56d01692b7205418e6aba89d1c7c44fa1abfef
---
 elk_metrics_6x/templates/logstash-pipelines.yml.j2 | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/elk_metrics_6x/templates/logstash-pipelines.yml.j2 b/elk_metrics_6x/templates/logstash-pipelines.yml.j2
index d1f9c2c1..64776ea2 100644
--- a/elk_metrics_6x/templates/logstash-pipelines.yml.j2
+++ b/elk_metrics_6x/templates/logstash-pipelines.yml.j2
@@ -183,7 +183,10 @@
                   "^%{CISCOTIMESTAMP:journalddate}%{SPACE}%{SYSLOGHOST:host}%{SPACE}%{SYSLOGPROG:prog}%{SPACE}%{TIMESTAMP_ISO8601:logdate}%{SPACE}%{NUMBER:pid}%{SPACE}%{NOTSPACE:loglevel}%{SPACE}%{NOTSPACE:module}%{SPACE}%{GREEDYDATA:logmessage}"
                 ]
               }
-              add_field => { "received_at" => "%{@timestamp}" }
+            }
+            date {
+              match => [ "logdate", ISO8601 ]
+              remove_field => [ "logdate" ]
             }
             if "nova" in [tags] {
               mutate {