How can I parse this date format into @timestamp?

Roger_Huang · October 11, 2022, 3:01am

Hi everyone, I am new to ELK and I cannot seems to get this right. Keep getting date parse error. I also wanted to put the _time to @timestamp.

For your kind advise please.

2022-06-30T13:14:40.558

Edgar.conf

input {
	file {
		path => "/usr/share/logstash/elogs/log20220630.csv"
		start_position => "beginning"
        sincedb_path => "/dev/null"
	}
}

filter {
	csv {
		separator => ","
		skip_header => "true"
		columns => ["_time","uri_path"]
	}
	date {
	    match => ["_time", "YYYY-MM-dd HH:mm:ss.SSS"]
	    target => "@timestamp"
        add_field => { "debug" => "timestampMatched"}
	}
}
output {
	elasticsearch {
		hosts => "elasticsearch:9200"
		user => "logstash_internal"
		password => "${LOGSTASH_INTERNAL_PASSWORD}"
		index => "ecs-logstash-edgar"
	}
	file {
        path => "/usr/share/logstash/elogs/output/edgar_log.txt"
    }
	stdout {}
}

stephenb · October 11, 2022, 5:55am

Hi @Roger_Huang Welcome to the community!

Perhaps Your missing the T

match => ["_time", "YYYY-MM-dd'T'HH:mm:ss.SSS"]

2022-06-30T13:14:40.558

Corrected per @Rios

Rios · October 11, 2022, 6:31am

You can use also ISO8601.

	date {
	    match => ["_time", "ISO8601"]
	    target => "@timestamp"
	    add_field => { "debug" => "timestampMatched"}
	}

Roger_Huang · October 11, 2022, 1:25pm

Hi Stephen,

Thanks for sharing for using the "T". It does not work on the first instance, but will try again to find out why it doesn't tomorrow. For now, the "ISO8601" works for me.

Roger_Huang · October 11, 2022, 1:28pm

Thanks all for your inputs. I have learned a lot from you guys. Cheers and will close this topic for now.

Rios · October 20, 2022, 7:51pm

Just for info, you can also use as you suggest with 'T' , instead of ISO8601:
match => ["_time", "YYYY-MM-dd'T'HH:mm:ss.SSS"]

For non-formatting syntax, you’ll need to put single-quote characters around the value. For example, if you were parsing ISO8601 time, "2015-01-01T01:12:23" that little "T" isn’t a valid time format, and you want to say "literally, a T", your format would be this: "yyyy-MM-dd’T’HH:mm:ss"

system · November 17, 2022, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing date for @timestamp Logstash	3	266	March 18, 2020
Datestamp to @timestamp Logstash	3	303	February 16, 2021
How to parse date field into @timestamp Logstash	18	35167	December 12, 2017
Logstash _dateparsefailure Logstash	4	415	August 31, 2018
Logstash CSV filter - _dateparsefailure from string to date Logstash	3	398	April 1, 2021

How can I parse this date format into @timestamp?

Related topics