Conversion of timeformat

mansa · April 22, 2021, 1:01pm

Hi Folks we have few logs which comes into time format "2021-04-05 08:04:24+07:00" and i want to convert this time into format "Sep 15 18:58:48" because i am sending logs to different SIEM which reads only syslog time stamp.
Can any one help what is best way to convert the timestamp. I tried with Date filter but didn't help.

Pipeline is

filter {
grok {
match => [ "message", "%{WORD:P1}\s+:\s+%{WORD:NEType}\s+%{WORD:P2}\s+:\s+%{WORD:NEName}\s+%{WORD:P3}\s+:\s+%{IPV4:IP}\s+%{WORD:P4}\s+:\s+%{DATA:Operator}\s+%{WORD:P5}\s+:\s+%{IPV4:TerminalIP}\s+%{WORD:P6}\s+:\s+%{TIMESTAMP_ISO8601:Time}+07:00\s+%{GREEDYDATA:Data}" ]
}

date {
match => [ "Time" , "MMM dd HH:mm:ss" ]
target => "Time1"
}

mutate {
remove_field => ["message"]
}
mutate {
add_field => {
"message" => "%{Time1} %{IP} %{Data}"
}
remove_field => [ "Time", "IP", "Data" ]
}
}

Badger · April 22, 2021, 3:23pm

Use a date filter to parse the "2021-04-05 08:04:24+07:00" and then use a ruby filter that calls strftime to format that timestamp in a different way.

mansa · April 23, 2021, 11:56am

I tried above suggestion but didn't worked for me... I may be wrong on coding. Could you please help me with date & ruby filter format.

Badger · April 23, 2021, 2:21pm

What did you try?

mansa · April 29, 2021, 1:24pm

Hi i tried this but no help..can you please verify what causing issue
filter {
grok {
match => [ "message", "%{WORD:P1}\s+:\s+%{WORD:NEType}\s+%{WORD:P2}\s+:\s+%{WORD:NEName}\s+%{WORD:P3}\s+:\s+%{IPV4:IP}\s+%{WORD:P4}\s+:\s+%{DATA:Operator}\s+%{WORD:P5}\s+:\s+%{IPV4:TerminalIP}\s+%{WORD:P6}\s+:\s+%{TIMESTAMP_ISO8601:Time}+07:00\s+%{GREEDYDATA:Data}" ]
}

date {
match => ["TIME", "ISO8601"]
target => "date_object"
}
ruby {
code => '
t = Time.at(event.get("@date_object").to_f)
event.set("Time1", t.strftime("%Y-%m-%d"))
}
mutate {
remove_field => ["message"]
}
mutate {
add_field => {
"message" => "%{Time1} %{NEName} %{Data}"
}
remove_field => [ "Time1", "NEName", "Data" ]
}
}

Badger · April 29, 2021, 5:58pm

TIME and Time are different fields, as are date_object and @date_object. Joda does not agree that that time format matches an ISO8601 pattern. Try

   date { match => ["Time", "yyyy-MM-dd HH:mm:ssZ"] target => "date_object" }
    ruby {
        code => '
            t = Time.at(event.get("date_object").to_f)
            event.set("Time1", t.strftime("%Y-%m-%d"))
        '
    }

system · May 27, 2021, 5:59pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.