Date not working

huangliusong · January 24, 2019, 9:55am

my conf

input {
    beats {
        port => "5044"
    }
}
filter {
    dissect {
      mapping => {
        "message" => "%{uat_log_date} %{uat_log_time} %{uat_log_ip} %{uat_log_traid} %{uat_log_action} %{uat_log_flag} %{uat_log_ts1} %{uat_log_ts2} %{uat_log_other}"
      }
       add_field => { "full_date" => "%{uat_log_date} %{uat_log_time}" } 
    }
    mutate {
          # full_date of value is 2019-01-21 09:47:03.641
          gsub => ["full_date", "/", "-"]
    }
    date {
		match => [ "full_date", "YYYYMMddHHmmss" ]
	}

  }
output {
    elasticsearch {
        hosts => [ "localhost:9200" ]
        index => "uatlog1-%{+YYYY.MM.dd}"
    }
}

I want to convert the full_date field type to date type using date plugin.

then,The type I query from elasticsearch is text

 "full_date" : {
            "type" : "text",
            "fields" : {
              "keyword" : {
                "type" : "keyword",
                "ignore_above" : 256
              }
            }
          }

What do I need to do to make date plugin to working?

Badger · January 24, 2019, 2:00pm

That date format does not match the format of full_date. Try

date { "match" => [ "date", "ISO8601" ] }

What are you trying to do using the gsub?

huangliusong · January 25, 2019, 12:39am

thank you so much!

I'd like to transfer 2019/01/21 09:47:03.641 to 2019-01-21 09:47:03.641 using gsub!

Badger · January 25, 2019, 2:12am

OK, so use

    mutate { gsub => ["full_date", "/", "-"] }
    date { "match" => [ "full_date", "YYYY-MM-dd HH:mm:ss.SSS" ] timezone => "Pacific/Tarawa" }

Personally, I wouldn't do it that way.

system · February 22, 2019, 2:25am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.