- move grok parsed fields into a separate 'fields' piece

lib/logstash/event.rb

@@ -6,8 +6,8 @@ module LogStash; class Event
   def initialize(data)
     @cancelled = false
     @data = data
-    if !@data.include?("received_timestamp")
-      @data["received_timestamp"] = LogStash::Time.now.utc.to_iso8601
+    if !@data.include?("timestamp")
+      @data["timestamp"] = LogStash::Time.now.utc.to_iso8601
     end
   end # def initialize
 
@@ -46,15 +46,15 @@ module LogStash; class Event
   end # def []=
 
   def timestamp
-    @data["received_timestamp"]
+    @data["timestamp"]
   end # def timestamp
 
   def source
-    @data[:source] or @data["source"]
+    @data["source"]
   end # def source
 
   def message
-    @data[:message] or @data["message"]
+    @data["message"]
   end # def message
 
   def to_hash

lib/logstash/filters/grok.rb

@@ -44,20 +44,19 @@ class LogStash::Filters::Grok
     end
 
     if match
+      event["fields"] = {}
       match.each_capture do |key, value|
         if key.include?(":")
           key = key.split(":")[1]
-        else
-          next
         end
 
-        if event[key].is_a?(String)
-          event[key] = [event[key]]
-        elsif event[key] == nil
-          event[key] = []
+        if event["fields"][key].is_a?(String)
+          event["fields"][key] = [event["fields"][key]]
+        elsif event["fields"][key] == nil
+          event["fields"][key] = []
         end
 
-        event[key] << value
+        event["fields"][key] << value
       end
     else
       event["PARSEFAILURE"] = 1