Converting time into @timestamp

zappe · October 23, 2015, 11:28am

I'm trying to get my time into @timestamp but are failing.

Lines looks like this "20151012 08:57:43 ..."

And I use the following config:

grok {
match => { "message" => "(?\d{1,8}.\d{1,2}[:]?\d{1,2}[:]\d{1,2})%{SPACE}% ... }

date {
locale => "en"
match => ["date", "YYYYMMdd HH:mm:ss"]
}

I get no errors.
Do I need to convert "date"?

magnusbaeck · October 23, 2015, 2:12pm

Your date filter works fine:

$ cat test.config 
input { stdin {} }
output { stdout { codec => rubydebug } }
filter {
  date {
    match => ["message", "YYYYMMdd HH:mm:ss"]
  }
}
$ echo '20151012 08:57:43' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
{
       "message" => "20151012 08:57:43",
      "@version" => "1",
    "@timestamp" => "2015-10-12T06:57:43.000Z",
          "host" => "lnxolofon"
}
Logstash shutdown completed

Have you verified that the date field contains what you expect? Have you tried cranking up logging with --verbose or --debug?

zappe · October 26, 2015, 7:15am

Yes "date" field works. I can see that in Kibana.

So then I assume it's something I missed in the Kibana config?
Should I start a new thread in that area?

magnusbaeck · October 26, 2015, 7:31am

Sorry, I don't get what the problem is. First you said that @timestamp isn't populated but now you say that the date filter works. To me that's contradictory.

zappe · October 26, 2015, 7:34am

It's not.
The "date" field has the correct information, i.e. 20151012 08:57:43.
But @timestamp is not populated correctly with that information when I see it Kibana, instead @timestamp has the date and time of when I imported the data.

magnusbaeck · October 26, 2015, 7:39am

Sorry, I misread. Okay, so date is okay and my previous example indicated that the date filter works with the input given and produces a @timestamp with the expected result. I suggest you try the same thing on your side, preferably with a stdout { codec => rubydebug } output. If that also works, inspect the resulting document directly in Elasticsearch. Somewhere along this chain you're going to find the problem.

zappe · October 26, 2015, 8:05am

No worries!
I tried that and it gave me some strange output

"message" => "20151004 18:38:23 ...",
"@timestamp" => "2015-01-04T17:38:23.000Z",
"date" => "20151004 18:38:23",

How is that possible?

magnusbaeck · October 26, 2015, 8:45am

Your date pattern is wrong. I suspect you have "mm" instead of "MM" for the month. The one-hour difference in the time is because @timestamp is UTC and your timezone is UTC+1 (on Jan 4 anyway; on Oct 4 it's probably UTC+2).

zappe · October 26, 2015, 9:10am

Actually I had DD instead of dd.

Now it's all working.

Thanks!