Convert date to string string

Yoav_Ben_Moha · May 15, 2019, 8:45am

Hi,
I am using ELK7 .
I have a csv file with 3 columns
I have successfully converted the first two columns from string to integer , but failed to convert
the 3rd column from string to date.
In Kibana the 3rd field is still a string

The csv file looks as follow:
CALLING_NUMBER,CALLED_NUMBER,ING_SIGNAL_START_TIME
61280037234,61262488358,2019-04-18+05:58:10.772
38580723144,61892967871,2019-04-18+05:58:08.966
18324621472,23598050505,2019-04-18+05:57:22.294

I have tried to convert the 3rd column as follow:
filter {
csv {
separator => ","
columns => ["CALLING_NUMBER","CALLED_NUMBER","ING_SIGNAL_START_TIME"]
}

date {
        match => ["ING_SIGNAL_START_TIME", "ISO8601"]
}

mutate { convert => ["CALLING_NUMBER","integer"] }
mutate { convert => ["CALLED_NUMBER","integer"] }

}

I have also tried the following option
date {
match => [ "ING_SIGNAL_START_TIME", "YYYY-MM-dd HH:mm:ss.SSS" ]
target => "ING_SIGNAL_START_TIME"
}

None of the option above successded to convert the string to date.

Please advise
Thanks

pastechecker · May 15, 2019, 12:28pm

There you go:

filter {
 csv {
  separator => ","
  columns => ["CALLING_NUMBER","CALLED_NUMBER","ING_SIGNAL_START_TIME"]
 }

#2019-04-18+05:58:10.772
 date {
  match => ["ING_SIGNAL_START_TIME", "yyyy-MM-dd'+'HH:mm:ss.SSS", "MMM dd HH:mm:ss", "ISO8601" ]
 }

 mutate { convert => ["CALLING_NUMBER","integer"] }
 mutate { convert => ["CALLED_NUMBER","integer"] }
}

Test data:
18324621472,23598050505,2019-04-18+05:57:22.294
{
"CALLING_NUMBER" => 18324621472,
"@version" => "1",
"@timestamp" => 2019-04-18T03:57:22.294Z,
"host" => "debugging_Date",
"CALLED_NUMBER" => 23598050505,
"ING_SIGNAL_START_TIME" => "2019-04-18+05:57:22.294",
"message" => "18324621472,23598050505,2019-04-18+05:57:22.294"
}

Badger · May 15, 2019, 12:28pm

Your field does not have a space between the date and time it has +, so your pattern has to match that

match => [ "ING_SIGNAL_START_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]

Yoav_Ben_Moha · May 15, 2019, 7:17pm

Hi,
I have followed yor suggestion - It didnt help.
I have insert the data into a new index , but it still didnt converted to date.

input {
        file {
                path => "/home/logstash/cdr_files/tst1.csv"
                start_position => "beginning"
                sincedb_path => "/dev/null"
              }
}

filter {
        csv {
                separator => ","
                columns => ["CALLING_NUMBER","CALLED_NUMBER","ING_SIGNAL_START_TIME"]
            }

       date {
              match => ["ING_SIGNAL_START_TIME", "yyyy-MM-dd'+'HH:mm:ss.SSS", "MMM dd HH:mm:ss", "ISO8601" ]
            }

        mutate { convert => ["CALLING_NUMBER","integer"] }
        mutate { convert => ["CALLED_NUMBER","integer"] }
}

output {
        elasticsearch {
                        hosts => "localhost"
                        index => "tst100"
                        document_type => "test100_logs"
                      }
        stdout {}
}

Badger · May 15, 2019, 7:23pm

On stdout, do you see ING_SIGNAL_START_TIME as a string, surrounded by quotes, or as a timestamp, like 2019-05-15T14:04:53.879Z? Does the event have a _dateparsefailure tag?

Yoav_Ben_Moha · May 16, 2019, 10:30am

Hi,
As you ca see bellow ING_SIGNAL_START_TIME apper as a string, surrounded by quotes.

{
                 "@version" => "1",
                  "message" => "423115,140407,2019-04-18+05:58:25.209\r",
            "CALLED_NUMBER" => 140407,
                     "path" => "/home/logstash/cdr_files/tst1.csv",
                     "host" => "elk7-lab",
           "CALLING_NUMBER" => 423115,
    "ING_SIGNAL_START_TIME" => "2019-04-18+05:58:25.209",
               "@timestamp" => 2019-04-18T02:58:25.209Z
}

Thanks

Yoav_Ben_Moha · May 16, 2019, 12:03pm

I have solve the the problem as follow

date {
      match => [ "ING_SIGNAL_START_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
      target => [ "newdatetime" ]
      remove_field => [ "ING_SIGNAL_START_TIME" ]
     }

And stdout looks ok
{
"host" => "elk7-lab",
"CALLING_NUMBER" => 32470,
"message" => "32470,20087,2019-04-18+05:58:39.291\r",
"@timestamp" => 2019-05-16T11:54:49.262Z,
"path" => "/home/logstash/cdr_files/tst1.csv",
"CALLED_NUMBER" => 20087,
"@version" => "1",
"newdatetime" => 2019-04-18T02:58:39.291Z
}

Than i have added few more date fields , but this time the logstatsh failed to run
date {
match => [ "ING_SIGNAL_START_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
target => [ "newdate_1" ]
remove_field => [ "ING_SIGNAL_START_TIME" ]

        match => [ "ING_ADDRESS_COMPLETE_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
	target => [ "newdate_2" ]
        remove_field => [ "ING_ADDRESS_COMPLETE_TIME" ]

        .....

        match => [ "EGR_RELEASE_COMPLETE_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
        target => [ "newdate_9" ]
        remove_field => [ "EGR_RELEASE_COMPLETE_TIME" ]	 
    }

The error is -
[INFO ] 2019-05-16 15:02:43.870 [LogStash::Runner] runner - Starting Logstash {"logstash.version"=>"7.0.1"}
[ERROR] 2019-05-16 15:02:51.331 [Converge PipelineAction::Create] date - Invalid setting for date filter plugin:

filter {
date {
# This setting must be a string
# Expected string, got ["newdate_1", "newdate_2", "newdate_3", "newdate_4", "newdate_5", "newdate_6", "newdate_7", "newdate_8", "newdate_9"]
target => ["newdate_1", "newdate_2", "newdate_3", "newdate_4", "newdate_5", "newdate_6", "newdate_7", "newdate_8", "newdate_9"]
...
}
}
[ERROR] 2019-05-16 15:02:51.336 [Converge PipelineAction::Create] agent - Failed to execute action {:action=>LogStash::PipelineAction::Create/pipeline_id:main, :exception=>"LogStash::ConfigurationError", :message=>"Something is wrong with your configuration.", :backtrace=>["/usr/share/logstash/logstash-core/lib/logstash/config/mixin.rb:86:in config_init'", "/usr/share/logstash/logstash-core/lib/logstash/filters/base.rb:126:ininitialize'", "/usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-filter-date-3.1.9/lib/logstash/filters/date.rb:158:in initialize'", "org/logstash/plugins/PluginFactoryExt.java:78:infilter_delegator'", "org/logstash/plugins/PluginFactoryExt.java:248:in plugin'", "org/logstash/execution/JavaBasePipelineExt.java:50:ininitialize'", "/usr/share/logstash/logstash-core/lib/logstash/java_pipeline.rb:23:in initialize'", "/usr/share/logstash/logstash-core/lib/logstash/pipeline_action/create.rb:36:inexecute'", "/usr/share/logstash/logstash-core/lib/logstash/agent.rb:325:in `block in converge_state'"]}
[INFO ] 2019-05-16 15:02:51.692 [Api Webserver] agent - Successfully started Logstash API endpoint {:port=>9600}
[INFO ] 2019-05-16 15:02:56.630 [LogStash::Runner] runner - Logstash shut down.

Please advise

Badger · May 16, 2019, 12:26pm

Right. You did not set target, so it parsed it into @timestamp.

In your other case, you cannot have multiple match+target pairs in the same date filter. They should be separate filters.

Yoav_Ben_Moha · May 16, 2019, 1:09pm

In your other case, you cannot have multiple match+target pairs in the same date filter. They
should be separate filters.

I am sorry, But i didnt understand what i should do if i have several date columns.
Can you please share a simple test case how to handle such senario ?

Thanks !!!!

Badger · May 16, 2019, 1:11pm

date {
    match => [ "ING_SIGNAL_START_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
    target => [ "newdate_1" ]
    remove_field => [ "ING_SIGNAL_START_TIME" ]
}
date {
    match => [ "ING_ADDRESS_COMPLETE_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
    target => [ "newdate_2" ]
    remove_field => [ "ING_ADDRESS_COMPLETE_TIME" ]
}
    .....

Yoav_Ben_Moha · May 16, 2019, 7:47pm

I have folowed the recommanded step .

date {
    match => [ "ING_SIGNAL_START_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
    target => [ "newdate_1" ]
    remove_field => [ "ING_SIGNAL_START_TIME" ]
}
date {
    match => [ "ING_ADDRESS_COMPLETE_TIME", "YYYY-MM-dd'+'HH:mm:ss.SSS" ]
    target => [ "newdate_2" ]
    remove_field => [ "ING_ADDRESS_COMPLETE_TIME" ]

All the columns which marked as removed_field=> .... Did NOT removed , and actually all the date fields are still appear as Strings.
In the stdout i dont see the "newdate_xx" fields

Example

....
"CALLED_NUMBER" => 4478,
"EGR_CALL_RELEASE_TIME" => "04/18/2019 05:58:38",
"ING_CALL_ANSWER_TIME" => "04/18/2019 05:58:36",
"ING_RELEASE_COMPLETE_TIME" => "04/18/2019 05:58:38",
....
"@version" => "1",
}
{
"tags" => [
[0] "_dateparsefailure"
],

Any advise ... ?

Thanks

Badger · May 16, 2019, 7:57pm

That does not match "YYYY-MM-dd'+'HH:mm:ss.SSS" do your different filters have different formats? Did you change the format of the data being input?

system · June 13, 2019, 7:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Convert string to date isnt working when logstash reading data from csv file. Need help! Logstash	2	401	August 1, 2019
CSV field from string to Date Logstash	13	6700	January 19, 2018
How to convert field date from String to Date? Logstash	13	9040	April 20, 2020
Convert string to date in logstash config file Logstash	4	3052	July 6, 2017
Logstash parsed the date, and saved as string Logstash	3	317	March 25, 2019

Convert date to string string

Related topics