I thought everything was working until i spotted that the dates from the raw messages are being parsed.
my raw messages
Interim-Update,user5@realm,2021/09/16 14:42:32,0,HOST-1,3174790000001AA1431119,10.10.110.112,Framed-User,PPP,,,10.20.126.116,255.255.255.255,,,,122800,,124584,,1350,,1344,PPPoEoQinQ,180056165,lag-10:999.101,Radius,
all messages are pushed though “decode_csv_fields”
e.g.
processors:
- decode_csv_fields:
fields:
message: csv
overwrite_keys: true
- extract_array:
field: csv
overwrite_keys: true
omit_empty: true
mappings:
Acct-Status-Type: 0
User-Name: 1
Event_Timestamp: 2
Acct-Delay-Time: 3
NAS-Identifier: 4
Acct-Session-Id: 5
NAS-IP-Address: 6
Service-Type: 7
Framed-Protocol: 8
Framed-Compression: 9
Unisphere-PPPoE-Description: 10
Framed-IP-Address: 11
Framed-IP-Netmask: 12
Unisphere-Ingress-Policy-Name: 13
Calling-Station-Id: 14
Acct-Input-Gigawords: 15
Acct-Input-Octets: 16
Acct-Output-Gigawords: 17
Acct-Output-Octets: 18
Unisphere-Input-Gigapackets: 19
Acct-Input-Packets: 20
Unisphere-Output-Gigapackets: 21
Acct-Output-Packets: 22
NAS-Port-Type: 23
NAS-Port: 24
NAS-Port-Id: 25
Acct-Authentic: 26
Acct-Session-Time: 27
Delegated-IPv6-Prefix: 28
and these are split nicely in to the fields that I can search
what I was not expecting is that the field Event_Timestamp is being parsed and instead of showing as
2021-09-16 14:42:32.000 +01:00
its
2021-09-16 15:42:32.000 +01:00
how can I prevent this and at the same time, how can I overwrite timestamp with this field value?
thanks