Date filter not working and I cannot understand why

Nikhil_Utane · February 5, 2018, 9:26am

Hi, the date filter below just refuses to work. Please help me understand what is wrong here.

From logstash output:
"@timestamp" => 2018-01-25T17:18:14.000Z,
"new_timestamp" => 2018-01-25T17:17:14.000Z,

        date {
          match => [ "new_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSZ", "ISO8601" ]
          target => "@timestamp"
        }

Tried all following combinations:

match => [ "new_timestamp", "ISO8601" ]
match => [ "new_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
match => [ "new_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSZ", "ISO8601" ]

What I am trying to do here is take an existing event and duplicate it and set the timestamp for it to 1 minute less than the original one.

Following is the code I wrote for this purpose:
ruby {
code => "event.set('new_timestamp', Time.at(event.get('@timestamp').to_i - 60 ))"
}
clone {
clones => [ "clonelog" ]
}
if [type] == 'clonelog' {
date {
match => [ "new_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSZ", "ISO8601" ]
target => "@timestamp"
}
mutate {...}
}

-Thanks
Nikhil

Nikhil_Utane · February 5, 2018, 9:38am

Found the problem. new_timestamp is already in Datetime format and not string. So I can use mutate rename instead of date filter. Thanks.

system · March 5, 2018, 9:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.