Hello.
I have the following date stamp info at the start of my log line and I need to convert them to integers.
Log Line:
2019-06-17 14:05:00.202
Expected Output:
Year: 2019
Month: 06
Date: 17
Hours: 14
Minutes: 05
Sec: 00
Millisec: 202
All the above fields should be in integer for my visualization purposes.
Is there any easy way to do it?
Any help providing me with an example syntax is appreciated
mutate { add_field => { "someField" => "2019-06-17 14:05:00.202" } }
date { match => [ "someField", ISO8601 ] target => "[@metadata][ts]" }
ruby {
code => '
epochMS = event.get("[@metadata][ts]").to_f * 1000
dateTime = DateTime.strptime(epochMS.to_s, "%Q")
event.set("Year", dateTime.year)
event.set("Month", dateTime.month)
event.set("Date", dateTime.day)
event.set("Hours", dateTime.hour)
event.set("Minutes", dateTime.minute)
event.set("Sec", dateTime.second)
event.set("Millisec", epochMS.to_i % 1000)
'
}It has been converted to date time format but when I open the parsed logs in kibana I am getting the following errors.
Also the date hour min info are all wrong. only the captured field I named "loggedTime" seems right.
This is the filter I used:
date
{
match => [ "endTime", ISO8601 , "YYYY-MM-dd HH:mm:ss.ZZZ" ]
target => "loggedTime"
}
ruby {
code => '
epochMS = event.get("loggedTime").to_f * 1000
dateTime = DateTime.strptime(epochMS.to_s, "%Q")
event.set("Year", dateTime.year)
event.set("Month", dateTime.month)
event.set("Date", dateTime.day)
event.set("Hours", dateTime.hour)
event.set("Minutes", dateTime.minute)
event.set("Sec", dateTime.second)
event.set("Millisec", epochMS.to_i % 1000)
'
}
When I opened Kibana - the index I created I got th following error.
"
Discover: failed to parse date field [-61566890962977] with format [epoch_millis]: [failed to parse date field [-61566890962977] with format [epoch_millis]]
Less Info
OK
Error: Request to Elasticsearch failed: {"error":{"root_cause":[{"type":"parse_exception","reason":"failed to parse date field [-61566890962977] with format [epoch_millis]: [failed to parse date field [-61566890962977] with format [epoch_millis]]"}],"type":"search_phase_execution_exception","reason":"all shards failed","phase":"query","grouped":true,"failed_shards":[{"shard":0,"index":"datetimecon2","node":"UqVrXZn4TROzulIgqflqgA","reason":{"type":"parse_exception","reason":"failed to parse date field [-61566890962977] with format [epoch_millis]: [failed to parse date field [-61566890962977] with format [epoch_millis]]","caused_by":{"type":"illegal_argument_exception","reason":"failed to parse date field [-61566890962977] with format [epoch_millis]","caused_by":{"type":"date_time_parse_exception","reason":"Failed to parse with all enclosed parsers"}}}}]},"status":400}
at http://localhost:5601/bundles/commons.bundle.js:3:1388766
at Function.Promise.try (http://localhost:5601/bundles/commons.bundle.js:3:1065792)
at http://localhost:5601/bundles/commons.bundle.js:3:1065161
at Array.map ()
at Function.Promise.map (http://localhost:5601/bundles/commons.bundle.js:3:1065119)
at callResponseHandlers (http://localhost:5601/bundles/commons.bundle.js:3:1387778)
at http://localhost:5601/bundles/commons.bundle.js:3:1369738
at processQueue (http://localhost:5601/built_assets/dlls/vendors.bundle.dll.js:427:199687)
at http://localhost:5601/built_assets/dlls/vendors.bundle.dll.js:427:200650
at Scope.$digest (http://localhost:5601/built_assets/dlls/vendors.bundle.dll.js:427:210412)"
My guess is that your index mapping maps Date as a date. If you rename that field to dayOfMonth do the errors go away?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
