Convert iso 8601 timestamp to UNIX_MS

The-morpho · June 8, 2022, 12:17pm

Hello,

I have json logs wich have a field timestamp in iso 8601 format I want to convert it to UNIX_MS so I can calculate the response time between step 1 and 2, 1 and 3 for each mid.

How this can be done ?

This is an example of my log files.

{“log_level”:“INFO”,“timestamp”:“2021-12-22T11:49:06.124890Z”,“event_type”:“step1”,“mid”:“96712abc”}
{“log_level”:“INFO”,“timestamp”:“2021-12-22T11:49:07.124897Z”,“event_type”:“step2”,“mid”:“96712abc”} 
{“log_level”:“INFO”,“timestamp”:“2021-12-22T11:49:07.124899Z”,“event_type”:“step3”,“mid”:“96712abc”} 
{“log_level”:“INFO”,“timestamp”:“2021-12-22T11:49:08.124900Z”,“event_type”:“step1”,“mid”:“875dbca”}

Badger · June 8, 2022, 5:32pm

Is that 3 lines or 4?

The-morpho · June 8, 2022, 5:41pm

4 lines, sorry It was a typing error

Badger · June 8, 2022, 6:29pm

You want something very much like example 1 in the aggregate documentation.

Although the logstash Timestamp object supports nanosecond precision, the date filter does not. However, the json filter does, so we have to rename the timestamp field to @timestamp to get the json filter to use it to set [@timestamp].

    mutate { gsub => [ "message", "“", '"', "message", "”", '"' ] }
    mutate { gsub => [ "message", "timestamp", "@timestamp" ] }
    json { source => "message" remove_field => [ "message" ] }
    if [event_type] == "step1" {
        aggregate {
            task_id => "%{mid}"
            code => 'map["step1Time"] = event.get("@timestamp").to_f'
            map_action => "create"
        }
    }
    if [event_type] == "step2" {
        aggregate {
            task_id => "%{mid}"
            code => 'map["step2Time"] = event.get("@timestamp").to_f'
            map_action => "update"
        }
    }
    if [event_type] == "step3" {
        aggregate {
            task_id => "%{mid}"
            code => '
                map["step3Time"] = event.get("@timestamp").to_f
                event.set("delta12", map["step2Time"] - map["step1Time"])
                event.set("delta13", map["step3Time"] - map["step1Time"])
            '
            map_action => "update"
            end_of_task => true
            timeout => 120
        }
    }

Make sure you understand the requirements for pipeline.workers and pipeline.ordered document for the aggregate filter.

The-morpho · June 9, 2022, 11:52am

Thank you so much Badger, can you please explain this code, I found in the documentation that gsub filter match string field and replace them with the last value . Is the message will be removed ?

And in the aggregation we have
event.get("@timestamp").to_f'
Is the "to_f" convert the timstamp to millisecond ?

Badger · June 9, 2022, 4:28pm

The [message] field is modified by the gsub, not removed. The curly quotes are changed to straight quotes, and the string timestamp is replaced with @timestamp.

The .to_f converts the LogStash::Timestamp object to a floating point number. The source JSON has microsecond precision so the floating point number will have microsecond precision. But, as always with floating point numbers, the accuracy of the digital representation is not exact. The difference between 06.124890 and 07.124897 may not be 1.000007, it might be 1.00000699827

The-morpho · June 13, 2022, 2:19pm

Thanks sir, I tried this on grok debugger from dev tools but it didn't work, I got this error:

`

Unable to find pattern [mid] in Grok's pattern dictionary

`

Badger · June 13, 2022, 4:43pm

Not sure why you would be using a grok debugger. There is no grok filter in the configuration I suggested.

The-morpho · June 13, 2022, 5:04pm

Yes yes, you're right there is no need for the grok debugger, but I add the configuration to logstash.conf and nothing is done, no field is added

The-morpho · June 14, 2022, 10:23am

Hello Badger please can you tell me what is the purpose of using this line:

json { source => "message" remove_field => [ "message" ] }

Badger · June 14, 2022, 3:47pm

Your [message] field contains JSON. That will parse it so that you have [log_level], [timestamp], [event_type], and [mid] fields.

If it is successfully parsed then the [message] field will be deleted, so that you do not have duplicate data. If the parsing fails then the [messsage] field will remain so that you can see what is wrong with it.

The-morpho · June 14, 2022, 4:32pm

Thanks you Badger for your help.

Do I have to set anything apart from the logstash configuration to run the filter?

Because I copied it as it is and it didn't work, also there is no error message in the logs of the logstash image on docker.

Badger · June 14, 2022, 4:41pm

I don't think so.

The-morpho · June 14, 2022, 4:57pm

Is there any documentation for pipeline.workers and pipeline.ordered document ?

Badger · June 14, 2022, 5:10pm

They are documented here. As with most pipeline setting they can be set globally or per-pipeline.

The-morpho · June 29, 2022, 9:38am

Thanks sir, can You please check this post about an error

system · July 27, 2022, 9:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with converting timestamp Logstash	3	526	July 12, 2017
Convert NanoSecond Unix timestamp Logstash	9	1184	February 28, 2023
Howto convert UNIX timestamp json field into ISO8601 format Logstash	6	3525	September 18, 2018
LOGSTASH convert unix ms timestamp Logstash	2	3174	September 27, 2017
Logstash Json filter re-formated the @timestamp field unexpectedly Logstash	6	1505	July 13, 2020

Convert iso 8601 timestamp to UNIX_MS

Related topics