Convert String to date and replace @timestamp

ginu · December 11, 2019, 11:07am

Hi all
I have a custom field
msg.message.timestamp which have the date in the format yyyy-MM-ddThh:mm:ss.nnnZ format
eg. 2019-12-11T10:17:54.961Z

I would like to use this as @timestamp. I tied a couple of things without success:
Try 1:

if ([msg][message][timestamp]){
        ruby {
            id => update_timetaken_with_msg_message_timestamp
            code => "b=event.get('[msg][message][timestamp]'); event.set('@timestamp', DateTime.parse(b);"
        }
}

Try 2:

mutate {
    convert => { "[msg][message][timestamp]" => "string" }
}
date {
    match => ["[msg][message][timestamp]", "yyyy-MM-dd'T'HH:mm:ss'.'SSS'Z'"]
    timezone => "UCT"
    target => "@timestamp"
}

But unfortunately, both are not working

Regards, Ginu

Jenni · December 11, 2019, 1:16pm

Does this work?

date {
    match => ["[msg][message][timestamp]", "ISO8601"]
}

ginu · December 11, 2019, 1:27pm

Thanks a lot Jenni... that worked.

date {
match => ["[msg][message][timestamp]", "ISO8601"]
target => "@timestamp"
}

system · January 8, 2020, 1:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.