Add year to timestamp

ssasporta · December 6, 2016, 4:32pm

Hi,

The time stamp in my log looks like that: [Mar 01 14:55:11] . No year available.
I want to add it to, to be the current year if possible or the previous year. I need to have the year, I assume int he timestamp, to be able to visualize according to the timestamp.

I mean, if we are on Dec 2016, and the Month was Jan, so it must be 2016 and can't be 2017. In general, if the date is later then current date, to use it with the previous year.
That Year need to be calculated and inserted hardcoded, to be include in the timestamp.

How can I do that?

Regards,
Sharon.

warkolm · December 6, 2016, 6:36pm

The date filter can handle that, just define the pattern yourself and it will add a the appropriate year.

ssasporta · December 7, 2016, 12:36pm

Hi,

I tried it but it didn't work.

Thats from the log:

"@timestamp" => "2016-12-07T10:18:09.237Z",
   "message" => "<<DEBUG>>  [Mar 01 14:55:23] [[ACTIVE] ExecuteThread: '9' for queue: 'weblogic.kernel.Default (self-tuning)'] [CM] [OMS] (BasicParameter.isResource) Exit",
  "@version" => "1",
      "type" => "cm_server_log",
     "count" => 1,

The error occurred on the 01-Mar but the timestamp is the time when the doc was created.

The piece of configuration from my logstash is that:

            multiline {
                       patterns_dir => "/users/mpswrk1/LogStash/impls/patterns/patterns"
                       pattern => "^\<\<%{LOGLEVEL}\>\> "
                       negate => true
                       what => "previous"
            }
            grok {
                    match => { "message" => "\<\<%{LOGLEVEL:severity}\>\>  \[%{PARTTIMESTAMP:timestamp}\] \[\[%{DATA:status}\] %{DATA:execute_thread}\] \[%{WORD:source_app}\] \(%{JAVACLASS:method}\) %{DATA:exception_method_description}\: \(%{DATA:error_code}\) %{DATA:error_description}%{JAVASTACKTRACEPART:java_class_stack}" }
                    patterns_dir => "/users/mpswrk1/LogStash/impls/patterns/patterns"
            }
            date {
                     match => [ "timestamp" , "MMM dd hh:mm:ss aa" ]
            }
            if "_grokparsefailure" in [tags] {
                           drop { }
            }

I assume something is wrong in my configuration.

Regards,
Sharon.

warkolm · December 7, 2016, 8:29pm

That is that in your patterns file?

ssasporta · December 7, 2016, 9:37pm

Hi,

Yes, this is from my pattern file:

PARTTIMESTAMP %{MONTH} %{MONTHDAY} %{TIME}

Thanks
Sharon.

ssasporta · December 8, 2016, 6:58pm

Can someone help here?

Regards,
Sharon.

system · January 5, 2017, 6:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash uses current year for timestamp without year and shows events with future dates Logstash	5	1384	August 5, 2021
Define filter - to use second field as timestamp and add year Logstash	7	1172	January 23, 2017
Missing year set to 1970 by Logstash Logstash	17	1480	March 24, 2021
Current year in to the date filter Logstash	3	1210	July 12, 2017
[SOLVED] Forcing a static year to date timestamps Logstash	4	1114	July 6, 2017

Add year to timestamp

Related topics