Convert epoch milli to datetime

sumitbiswas · November 21, 2018, 8:44am

Logstash version: 6.5.0

How do we convert epoch millisecond to datetime? Thanks in advance.

Below parses data and in Kibana is seen as below which is wrong.

(t) epoch_time: 1542765548000000000
(t) myTime: 48890264-01-11T11:33:20.000Z

Input log content as below

value=9663.8 1542765548000000000
value=9736.7 1542765548000000000
value=10453.89 1542765548000000000

logstash config file

filter {
    grok {
        match => { "message" => "value=%{BASE10NUM:cpu_value}\ %{PROG:epoch_time}"}
    }
    date {
        match => [ "epoch_time","UNIX_MS" ]
        target => "myTime"
    }
}

Christian_Dahlqvist · November 21, 2018, 8:49am

That looks like nanoseconds and not milliseconds. Drop the last 6 digits and I think you should get the expected timestamp with that date filter.

sumitbiswas · November 21, 2018, 12:04pm

Hi Christian,

Thanks for the suggestion. Can you please suggest how do we remove last 6 digits?

Eniqmatic · November 21, 2018, 12:20pm

The obvious way would be to divide by 1000000.

You could do this using a ruby filter first:

ruby {
                            code => "event.set('epoch_time_convert', event.get('epoch_time') / 1000000)"
}

Which will give you a field epoch_time_convert: 1542765548000

Then do:

date {
    match => [ "epoch_time_convert","UNIX_MS" ]
    target => "myTime"
}

Christian_Dahlqvist · November 21, 2018, 12:35pm

The easiest way would probably be to change your grok pattern to capture the last 6 digits separately.

sumitbiswas · November 21, 2018, 1:24pm

Thanks Eniqmatic and Christian for your suggestions. It solved the problem.

system · December 19, 2018, 1:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.