How can I parse this date format into @timestamp?

Elastic Stack Logstash
1

Hi everyone, I am new to ELK and I cannot seems to get this right. Keep getting date parse error. I also wanted to put the _time to @timestamp.

For your kind advise please.

Screenshot 2022-10-11 at 10.59.56 AM
Screenshot 2022-10-11 at 10.59.56 AM864×308 79.2 KB 

2022-06-30T13:14:40.558

Edgar.conf

input {
	file {
		path => "/usr/share/logstash/elogs/log20220630.csv"
		start_position => "beginning"
        sincedb_path => "/dev/null"
	}
}

filter {
	csv {
		separator => ","
		skip_header => "true"
		columns => ["_time","uri_path"]
	}
	date {
	    match => ["_time", "YYYY-MM-dd HH:mm:ss.SSS"]
	    target => "@timestamp"
        add_field => { "debug" => "timestampMatched"}
	}
}
output {
	elasticsearch {
		hosts => "elasticsearch:9200"
		user => "logstash_internal"
		password => "${LOGSTASH_INTERNAL_PASSWORD}"
		index => "ecs-logstash-edgar"
	}
	file {
        path => "/usr/share/logstash/elogs/output/edgar_log.txt"
    }
	stdout {}
}

Screenshot 2022-10-11 at 10.58.54 AM
Screenshot 2022-10-11 at 10.58.54 AM555×541 82.6 KB

2

Hi @Roger_Huang Welcome to the community!

Perhaps Your missing the T

match => ["_time", "YYYY-MM-dd'T'HH:mm:ss.SSS"]

2022-06-30T13:14:40.558

Corrected per @Rios

3

You can use also ISO8601.

	date {
	    match => ["_time", "ISO8601"]
	    target => "@timestamp"
	    add_field => { "debug" => "timestampMatched"}
	}
1 Like
4

Hi Stephen,

Thanks for sharing for using the "T". It does not work on the first instance, but will try again to find out why it doesn't tomorrow. For now, the "ISO8601" works for me.

5

Thanks all for your inputs. I have learned a lot from you guys. Cheers and will close this topic for now.

6

Just for info, you can also use as you suggest with 'T' , instead of ISO8601:
match => ["_time", "YYYY-MM-dd'T'HH:mm:ss.SSS"]

For non-formatting syntax, you’ll need to put single-quote characters around the value. For example, if you were parsing ISO8601 time, "2015-01-01T01:12:23" that little "T" isn’t a valid time format, and you want to say "literally, a T", your format would be this: "yyyy-MM-dd’T’HH:mm:ss"

2 Likes
7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.