Change timestamp in logstash input

zerratriani · November 22, 2022, 3:51am

Hi, I have a log like this and want to change the timestamp to the time in the log.

Example Log

event1: aaaaaaa | event2: xxxxxxx | event3: ccccccc | date : 2022-11-07T21:03:48.9110;

The logstash

input {
  file {
    path => "D:/dump/*.log"
    start_position => "beginning"
    mode => "read"
    file_completed_action => "delete"
    sincedb_path => "NUL"
  }
}

filter {
    grok {
	  break_on_match => false
	  match => { "rawMessage" => [
			      "(?<Event1>(event1:)([^|]*))",
				  "(?<Event2>(event2:)([^|]*))",
				  "(?<Event3>(event3:)([^|]*))",
				  "(?<date>(date.:)([^;]*))"] }
    }

   date {
			match => "%{date}"
			target => "@timestamp" 
		}
}

output {
		elasticsearch { 
			hosts => ["localhost:9200"]
			index => "event_test"
		}
}

Rios · November 22, 2022, 9:51am

Try with this:

	 date {
      match => [ "date", "ISO8601" ]
	  target=> "@timestamp"
	 }

PS. Since this is separated with |, you can use csv or dissect filters.

zerratriani · November 22, 2022, 10:39am

It still gives results like the following. Log stays in time when sent.

Rios · November 22, 2022, 2:18pm

Your grok is not OK. The date field has value:

{
  "date": [
    [
      "date : 2022-11-07T21:03:48.9110"
    ]
  ]

Try something like this:

grok {
	  match => { "rawMessage"  => "event1: %{DATA:event1} \| event2: %{DATA:event2} \| event3: %{DATA:event3} \| date : %{DATA:date};"
}
	 date {
      match => [ "date", "ISO8601" ]
	  target=> "@timestamp"
	 }

zerratriani · November 23, 2022, 8:42am

It works now then how do I change the timezone in my area? Because it's still using global time. Thank you

Rios · November 23, 2022, 9:21am

Time zones are here
ES and LS are based on UTC. Bu default, Kibana show data based on browser TimeZone.

  date {
      match => [ "date", "ISO8601" ]
      timezone => "Asia/Bangkok"
      target=> "@timestamp"
  }

zerratriani · November 28, 2022, 4:24am

Hi, i have problem with date filter, i run it on windows and it's work perfectly. But when i try in linux environtment it's doesn't work. And doesn't send any data to elastic. Please help

Rios · November 28, 2022, 6:31am

Can you dump data from ruby debug on Linux? Put as text, not as pic.

zerratriani · November 29, 2022, 8:21am

it's working now i change

match => [ "date", "ISO8601" ]
to
match => [ "date", "yyyy-MM-dd'T'HH:mm:ss.SSSS" ]

system · December 27, 2022, 8:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.