Convert NanoSecond Unix timestamp

maskrider1111 · January 31, 2023, 8:34pm

Hi Folks,

Any idea how to convert the nanosecond unix timestamp in logstash filter?

date {
                match => [ "eventtime","UNIX_MS", "ISO8601" ]
                target => "Epoch"
                timezone => "UTC"
                }

Apparently its not working

 "Epoch" => +53023221-08-28T18:34:21.798Z,

Rios · January 31, 2023, 8:43pm

Welcome to the community Jay.
Can you explain what are first 8 digits?
"Epoch" => +53023221-08-28T18:34:21.798Z

Or show the eventtime field value.

maskrider1111 · January 31, 2023, 9:08pm

Thanks @Rios.

This is the another example of the eventtime field value:

eventtime: 1673188498490039856
Target "Epoch": +53023202-10-20T09:53:59.856Z

I understand that UNIX_MS (milisecond) plugin will not work on nanoseconds timestamp. Any work around?

Badger · January 31, 2023, 9:18pm

It is 53 million years in the future.

The simplest solution is to throw away all the sub-millisecond precision.

    mutate { add_field => { "eventtime" => 1675199470000000000 } }
    mutate { gsub => [ "eventtime", "\d{6}$", "" ] }
    date { match => [ "eventtime","UNIX_MS", "ISO8601" ] target => "Epoch" timezone => "UTC" }

gives you

     "Epoch" => 2023-01-31T21:11:10.000Z

Rios · January 31, 2023, 9:25pm

Proof how LS is advance
Use the simplest solution. If nanosec is mandatory in ES, then use this or this

Badger · January 31, 2023, 9:37pm

If you need nanosecond precision it can be done in logstash

    mutate { add_field => { "eventtime" => 1675199470123456789 } }
    ruby {
        code => '
            n = event.get("eventtime")
            if n
                match = /(\d+)(\d{9})/.match(n)
                event.set("@timestamp", LogStash::Timestamp.new(Time.at(match[1].to_i, match[2].to_i, :nsec)))
            end
        '
    }

will produce

"@timestamp" => 2023-01-31T21:11:10.123456789Z,

maskrider1111 · January 31, 2023, 9:39pm

Hi @Badger ,

Sorry im not an expert when its comes to logstash filtering. Your solution seems to work but logstash unable to parse the date. Did i miss anything here?

Badger · January 31, 2023, 9:42pm

Your eventtime is an array, so you would need to use [eventtime][0] in the date filter. But if it is an array then you never should have gotten a far future date, so I am not sure what your data really looks like.

maskrider1111 · January 31, 2023, 9:57pm

Awesome, its work. Thank you so much for the solution. You just solved the issue that I was struggling with for hours

system · February 28, 2023, 9:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to index nanoseconds precision events with Logstash (7.10) and type date_nanos Logstash	1	5417	February 21, 2021
Convert epoch milli to datetime Logstash	6	4863	December 19, 2018
Timestamp to epoch in microseconds - am I doing this right? Logstash	4	7576	December 7, 2017
Logstash to support nanosecond timestamps? Logstash	1	1162	June 14, 2019
Help with converting timestamp Logstash	3	526	July 12, 2017

Convert NanoSecond Unix timestamp

Related topics