Convert String to date and compare it

alex_vermex · August 4, 2022, 10:10am

Hi,
I have two fields and I want to compare it

field1: 20220720091723
field2: 07/20/22 09:17
I want to compare it so i don't know if i should convert to date then compare and how or can someone please tell me what i should do

Thanks!

alex_vermex · August 4, 2022, 11:49am

i tryed this in logstash :

date {
        match => [ "field1", "yyyyMMddHHmmss" ]
      }

but still doesn't work it stays String... and if I convert these two fields so I can compare it, right?

alex_vermex · August 4, 2022, 2:30pm

I think i found the solution but there is somthing wrong

date {
        match => [ "field1", "yyyyMMddHHmmss" ]
        target => "field1"
      }
date {
        match => [ "field2", "dd/MM/yy HH:mm" ]
        target => "field2"
      }

output:

field1: 2022-07-20T09:24:07.000Z
field2: 2022-07-20T05:06:00.000Z
Can I specify the output format? for example I just want to keep yyyy-MM-DD HH:mm because the first field contains the ss and field2 just mm

Any help would be sincerely appreciate!
Thanks!

Badger · August 4, 2022, 4:00pm

Maybe. See this thread.

alex_vermex · August 4, 2022, 8:16pm

Thanks for the reply
there is a little thing that i don't understand here the original field 20220720185907 after matching and target ... it looks like this now field1: 2022-07-20T17:59:07.000Z it was changed for one hour honestly i don't know why.
after ruby filter and thanks for this it gives me someField000: 2022-07-20 18:07
ruby filter :

ruby {
        code => '
            t = Time.at(event.get("Date Transmission").to_f)
            event.set("someField", t.strftime("%Y-%m-%d"))
            event.set("someField000", t.strftime("%Y-%m-%d %H:%m"))
        '
    }

But I specified the minute not the second. did i do something wrong ?
Thanks!

Badger · August 4, 2022, 8:51pm

When you parse a string with a date filter the result is always in UTC (note the Z at the end of [field1]. Is the timezone of the machine running logstash one hour ahead of UTC, as much of Europe is?

alex_vermex · August 5, 2022, 7:21am

Yes ok thanks, just about the ruby filter event.set("someField000", t.strftime("%Y-%m-%d %H:%m")) I specified the minute not the second and it gives me someField000: 2022-07-20 18:07 there is somthing wrong right ?

Badger · August 5, 2022, 2:34pm

Looks OK to me. Why do you think it is wrong?

alex_vermex · August 7, 2022, 8:49am

I mean it should give me someField000:2022-07-20 18:59 not someField000:2022-07-20 18:07 i specified %H:%m not %H: %s no?

Badger · August 7, 2022, 4:41pm

%H:%m is hour and month, not hour and minute. Try %H:%M.

system · September 4, 2022, 4:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.