Converting a date input as a string into a new format

thadc · April 18, 2019, 3:15pm

Hello, I have a need to convert a field value for a log time stamp from its current ISO8601 into a format of yyyy.mm.dd hh.mm.ss on output. I have a filter similar to the following:

filter {
.
. (grok section to parse input omitted for clarity)
.
date {
match => ["logDateTime", "ISO8601"]
target => "logDateTimeAlias"
}
}

so this date filter properly isolates all the logDateTime values and properly assigns them to the target logDateTimeAlias on output. However, date does not have to way to convert the field value to another format and I cannot find a filter that does except of date_formatter which I cannot install the plugin for in my environment.

I would be grateful for any ideas on how to convert the format in the manner I am looking for. Thanks!

Badger · April 18, 2019, 4:29pm

You could do it in Ruby. This works, but doesn't feel quite right.

    ruby {
        code => '
            t = event.get("@timestamp")
            event.set("dateTime", Time.at(t.to_f).strftime("%Y.%m.%d %H.%M.%S"))
        '
    }

system · May 16, 2019, 4:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.