How can I convert @timestamp from logstash to encoded format as YYYY-MM-DDThh:mm:ss.sss+/-hh:mm

teja_tata · October 27, 2022, 11:28am

I have tried using date filter match option but didn't work.
It would be great if someone can help me here.

cheshirecat · October 27, 2022, 12:06pm

And what is your filter syntax?

teja_tata · October 27, 2022, 12:39pm

    date {
            match => [ "timestamp", "ISO8601" ]
            target => "@timestamp"
      }

Here "timestamp" is the variable where I want to store the converted timestamp

Rios · October 27, 2022, 1:58pm

Yes, this is how should code be in general.
And how does your data look like? Can you give an example?

teja_tata · October 27, 2022, 4:47pm

Here I am sending input message to logstash from filebeat and checking the message in Elasticsearch. There are few things I am trying to achieve here, like when we don't send any timestamp in input message then I will be taking "@timestamp" (timestamp at which logstash recieves the event)value and will convert to the format I want and save it in different field "timestamp".
@timestamp we get from Logstash generally in this format "2022-10-27T03:49:25.530Z"
I want new timestamp field with this format [YYYY-MM-DDThh:mm:ss.sss+/-hh:mm]

leandrojmp · October 27, 2022, 5:19pm

I don't think this is possible, using the date filter will transform the field into a date type field which will have this format yyyy-MM-ddTHH:mm:ss.SSSZ and the time will always be in UTC (that's waht the Z at the end means)

teja_tata · October 27, 2022, 5:39pm

ok. Can you suggest me any other filter in Logstash or any logic with which I could achieve this conversion

leandrojmp · October 27, 2022, 5:43pm

It depends, if you want the field to be a date field, then there is none, all date fields will have this format.

What you may try is to use some ruby code with the ruby filter to create a string with the format you want, but this will need to be mapped as a string in elasticsearch.

teja_tata · October 27, 2022, 5:45pm

yeah in that case may be I can use date filter to convert that string after conversion to date again. Is that possible?

teja_tata · October 27, 2022, 5:53pm

I have also found one similar issue attaching code solution and link below.

ruby {
        code => '
            t = Time.at(event.get("@timestamp").to_f)
            event.set("someField", t.strftime("%Y-%m-%d"))
        '
    }

But not sure how can I use this code to get the format I want [YYYY-MM-DDThh:mm:ss.sss+/-hh:mm]

Rios · October 27, 2022, 8:11pm

You want to add time offset to UTC? You can add as abs. like timezone => "+0100" or relatively to a time zone.

	date {
      match => [ "timestamp", "ISO8601" ]
      timezone => "Europe/Berlin"
	  target=> "@timestamp"
	}

teja_tata · October 28, 2022, 1:50am

Here I don't want to change timezone I want offset as +00:00. Can I use the way you mentioned even for that case?

system · November 25, 2022, 1:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Convert @timestamp date format Logstash	9	10712	April 26, 2018
Conver String to date (or replace @timestamp) (SOLVED) Logstash	13	19995	July 6, 2017
Converting time into @timestamp Logstash	9	2069	July 6, 2017
Date filter issue String to ISO Timestamp Logstash	9	864	June 7, 2019
Convert String to timestamp example Logstash	7	18464	April 28, 2017

How can I convert @timestamp from logstash to encoded format as YYYY-MM-DDThh:mm:ss.sss+/-hh:mm

Related Topics