How can I parse this date format into @timestamp?

Roger_Huang · October 11, 2022, 3:01am

Hi everyone, I am new to ELK and I cannot seems to get this right. Keep getting date parse error. I also wanted to put the _time to @timestamp.

For your kind advise please.

2022-06-30T13:14:40.558

Edgar.conf

input {
	file {
		path => "/usr/share/logstash/elogs/log20220630.csv"
		start_position => "beginning"
        sincedb_path => "/dev/null"
	}
}

filter {
	csv {
		separator => ","
		skip_header => "true"
		columns => ["_time","uri_path"]
	}
	date {
	    match => ["_time", "YYYY-MM-dd HH:mm:ss.SSS"]
	    target => "@timestamp"
        add_field => { "debug" => "timestampMatched"}
	}
}
output {
	elasticsearch {
		hosts => "elasticsearch:9200"
		user => "logstash_internal"
		password => "${LOGSTASH_INTERNAL_PASSWORD}"
		index => "ecs-logstash-edgar"
	}
	file {
        path => "/usr/share/logstash/elogs/output/edgar_log.txt"
    }
	stdout {}
}

stephenb · October 11, 2022, 5:55am

Hi @Roger_Huang Welcome to the community!

Perhaps Your missing the T

match => ["_time", "YYYY-MM-dd'T'HH:mm:ss.SSS"]

2022-06-30T13:14:40.558

Corrected per @Rios

Rios · October 11, 2022, 6:31am

You can use also ISO8601.

	date {
	    match => ["_time", "ISO8601"]
	    target => "@timestamp"
	    add_field => { "debug" => "timestampMatched"}
	}

Roger_Huang · October 11, 2022, 1:25pm

Hi Stephen,

Thanks for sharing for using the "T". It does not work on the first instance, but will try again to find out why it doesn't tomorrow. For now, the "ISO8601" works for me.

Roger_Huang · October 11, 2022, 1:28pm

Thanks all for your inputs. I have learned a lot from you guys. Cheers and will close this topic for now.

Rios · October 20, 2022, 7:51pm

Just for info, you can also use as you suggest with 'T' , instead of ISO8601:
match => ["_time", "YYYY-MM-dd'T'HH:mm:ss.SSS"]

For non-formatting syntax, you’ll need to put single-quote characters around the value. For example, if you were parsing ISO8601 time, "2015-01-01T01:12:23" that little "T" isn’t a valid time format, and you want to say "literally, a T", your format would be this: "yyyy-MM-dd’T’HH:mm:ss"

system · November 17, 2022, 7:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.