Convert String to Date field

I tried converting one of the string field to Date field , I can see in the logs that it could changed to date field because it's without quotes . but it's still showing the field is keyword.

Logstash Config

# "Submit Date" => "2022-04-11T17:10:55.000+0000",
 grok {
        match => [ "[response][body][entries][values][Submit Date]", "^(?<[custom.date]>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?)" ]
    }

    date {
    match => ["custom.date", "yyyy-MM-dd'T'HH:mm:ss.SSS"]
    target => "[response][body][entries][values][Submit Date]"
  }

OUPTPUT

   "SLA Res Result Duration" => nil,
                                          "Time Spent (min)" => 0,
                                "Change Request Prev Status" => "Draft",
                                               "Submit Date" => 2023-01-17T16:37:43.000Z,
                                              "TemplateGUID" => nil,
                                                "PortNumber" => nil,
                                       "Requester Contacted" => nil,

Please suggest what I am doing wrong.

Thanks

Any one please help, Elasticsearch version 8.6, using DataStream to index documents.

image1363×266 16.2 KB

Your data pattern accept string and the pattern should be recreated when you are sure that conversion is correct, for instance use ruby debug.

"Submit Date" => 2023-01-17T16:37:43.000Z is date field
"Submit Date" => "2023-01-17T16:37:43.000Z" is string field

Try to create a new temporary index, there should be the date field by default because ES recognize data type.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.