Grok filter TIMESTAMP_ISO8601 appears in Kibana as String

SecretSquizza · December 10, 2020, 9:27am

Hi all,

I done a bit of rooting around google but can't find any definitive answers, so i decided to humble myself and request help directly.

The problem i have is that, like many incoming messages, my log entry contains a timestamp field, here's an example message:

spc01ws14 sales 2020-12-10 09:15:11,909 INFO UIRequest runLifecycleSteps (102 ms) location=PolicyFile; Sources='TabBar/PolicyTab/PolicyTab_PolicyRetrievalItem_widget/PolicyTab_PolicyRetrievalItem_Button'

The datetime format seems to comply with ISO8601 so i use the following regular expression to parse my message in a grok block:

`grok {
      match => {
        "message" => "(?<serverid>([a-z]{3}[0-9]{2}[a-z]{2}[0-9]{2}){0,1})\s+(?<username>([A-Za-z0-9.@\-]*){0,1})\s+(%{TIMESTAMP_ISO8601:logdate})?\s+(%{LOGLEVEL:loglevel})\s+(?<classname>([^\s]+){0,1})\s+%{GREEDYDATA:body}"
      }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      tag_on_failure => [ "_not_interested" ]
    }`

The problem i have is that the logdate field comes through to Kibana as a string so i cannot apply between filters to this field.

I read that this is expected behaviour, but i can't find an easy answer to solve the problem i have.

I would also like to flip the fields so the "@timestamp" field contains the current logdate information - is that as easy as changing the grok to (%{TIMESTAMP_ISO8601:@timestamp}) ?

Many thanks in advance.

Badger · December 10, 2020, 5:09pm

If you want the [@timestamp] field to reflect a value extracted using grok you will need to use a date filter.

SecretSquizza · December 14, 2020, 12:27pm

Hi @Badger,

I think i've made some limited progress based on what you've said and following this post

My Grok filter / date filters now look like this:

grok {
      match => {
        "message" => "(?<serverid>([a-z]{3}[0-9]{2}[a-z]{2}[0-9]{2}){0,1})\s+(?<username>([A-Za-z0-9.@\-]*){0,1})\s+(%{TIMESTAMP_ISO8601:logdate})?\s+(%{LOGLEVEL:loglevel})\s+(?<classname>([^\s]+){0,1})\s+%{GREEDYDATA:body}"
      }
      add_field => [ "received_at", "%{@timestamp}" ]
      add_field => [ "received_from", "%{host}" ]
      tag_on_failure => [ "_not_interested" ]
    }
    date {
       match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS" ]
       target => "logdate"
    }

I was hoping that, following this change, when i created a new index pattern, i'd have the option of using "logdate" as the time field, but it isn't showing in the list and, if i proceed to create the index pattern on @timestamp then logdate still shows as a String in the field list on the next page.

I can see its made a change to the output in Discover view now as the Logdate is now showing slightly differently to the Original Input:

Before

2020-12-14 12:18:51,397

After

2020-12-14T12:18:51.397Z

Any further suggestions?

Many thanks,
Ade.

SecretSquizza · December 14, 2020, 2:48pm

OK , so i managed to figure out how to resolve this.

I can't write back to the original logdate field as this contains old string information, so i've written this to a new field and Bingo!

system · January 11, 2021, 2:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date filter in logstash.conf not parsing the date while grok parses it by timestamp_iso8601 Logstash	21	27377	July 6, 2017
Extract datatime in log and convert in datatime field? Logstash	3	143	November 16, 2022
Is there a way to match Timestamps with the time in the message of the log Logstash	10	394	August 26, 2020
Logstash custom DATE fields (extracted by regex or custom patterns) how to convert it to DATE field Elasticsearch	8	566	January 4, 2024
Converting date to ISO8601 Logstash	11	13902	July 6, 2017

Grok filter TIMESTAMP_ISO8601 appears in Kibana as String

Related topics