Extract UNIX_MS using 'grok' regex - use it as date using 'date'

uda_kay · April 25, 2017, 9:55am

Hello
i have a field named "message", it contains the string:
"GET1: +992545989898 GET2: 365981022808151-821eaec1d4b27cc974c97e11a2343f705c0c4612-1492310893103"
The field contains Phone-number, ID, HEX-data, and epoch (UNIX_MS) at the end,
some how the m_date field is added, but recognized as string instead of date
i want also to replcae the @timestamp with this m_date field
Thanks

this is my filter:

 filter {  
       grok {
                    match => {
                                    "message" => "GET1:\s\++(?<m_num>\d+)\sGET2:\s(?<m_id>\d+)-[a-fA-F\d]+-(?<m_date>\d+)"
                       }
        }
          date {
                            match => ["m_date","UNIX_MS","UNIX"]
                            timezone => "UTC"
                    }
    }

magnusbaeck · April 25, 2017, 10:07am

some how the m_date field is added, but recognized as string instead of date

That's expected. Do you really need to keep m_date if you store the timestamp in @timestamp?

i want also to replcae the @timestamp with this m_date field

If the date filter can't parse a string it'll tell you why in the Logstash log.

uda_kay · April 25, 2017, 11:07am

Do you really need to keep m_date if you store the timestamp in @timestamp?

No, but how to convert, how to store 'm_date' as '@timestamp' ?

If the date filter can't parse a string it'll tell you why in the Logstash log.

That's the weird part , I see it on kibana as string, but there is no error in /var/log/logstash/logstash-plain.log
it looks like it is ignoring it, or override it...

Can I define the match from 'message' field inside the 'date' without using grok.
Or maybe there is another way (couldn't do it using console with (painless).

Maybe you can point me to other options i should check
Thank you very much

PS

Can i change string from epoch time to date on kibana

magnusbaeck · April 25, 2017, 12:18pm

No, but how to convert, how to store 'm_date' as '@timestamp' ?

Use the date filter. Your current configuration looks correct.

Please show an example event, either via copy/paste from Kibana's JSON tab or from a stdout { codec => rubydebug } output.

uda_kay · April 26, 2017, 7:19am

Thank you @magnusbaeck

At the end I've finally (my friend actually ) got that:

The m_date was a string, date read the UNIX_MS only if it's a number
so through mutate I've convert it to integer
then i use date

(Also change the m_date name to 'm_date_format', but i don't think it's part of the solution... )

Here is the code:

grok {
    match => {
                    "message" => "GET1:\s\++(?<m_num>\d+)\sGET2:\s(?<m_id>\d+)-[a-fA-F\d]+-(?<m_date>\d+)"
       }
}
mutate {
       convert => {"m_date" => "integer"}
}
date {
        match => ["m_date","UNIX_MS"]
        target => "m_date_format"
}

system · May 24, 2017, 7:21am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.