Can't match string to format date

Hi everybody,

I have a problem while I try to convert a string variable to timestamp.

I'm using date module without successful result. Format date is dd/MM/yyyy hh:mm:ss.SSSSSS and originally the variable newDate is:

          "logLevel" => "DEBUG4:",
    "strangeElement" => "elk1",
        "newMessage" => "DelayedCollectionPolicy.getNextFile()=null",
           "newDate" => "04/02/2023 00:53:00.006357"

And I tried to use match next way, but not workwed:

  date {
    match => [ "newDate", "dd/MM/yyyy hh:mm:ss.SSSSSS" ]
    timezone => "America/Mexico_City"
    target => "otherDate"
  }

For that reason it came to my mind to split newDate variable ahead of applying the match, in order to get rid of six miliseconds, as I thought that six milliseconds were causing some conflict but neither worked too, as the match doesn't success.

           "newDate" => [
        [0] "04/02/2023 06:50:00",
        [1] "007299"
    ],

  date {
    match => [ "[newDate][0]", "dd/MM/yyyy hh:mm:ss" ]
    timezone => "America/Mexico_City"
    target => "otherDate"
  }

I tried to use different timezone, but neither works. Any suggestion?

Thanks.

You need to use HH, using hh only matches 12-hour clocks, so it only matchs 01-12.

If your hour is showing 00 you have a 24-hour clock, so you need to use HH which will match 00-23.

Also, is this dd/MM/yyyy or MM/dd/yyyy?

If it is dd/MM/yyyy then your log is for February 4th, is this correct?

"newDate" => "04/02/2023 00:53:00.006357"

I didn't realized about "hh". When I used "HH" instead of "hh", it worked.

There are four patterns for hours. HH is for 0-23, kk is for 1-24. I think these will ignore the value of an a pattern (AM/PM) so you also need KK for 0-11 and hh for 1-12.

Thanks for your answer Badger.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.