How to convert and store logs time in a field with date type. I'm new to it and need to show some results asap

sagarleo · February 6, 2019, 5:56am

filter {

grok {
match => [ "message", "%{TIMESTAMP_ISO8601:event_timestamp} %{GREEDYDATA:message}" ]
}

date {
match => ["event_timestamp", "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
target => "@timestamp"
}
}

Christian_Dahlqvist · February 6, 2019, 7:45am

If you are new to Logstash I would recommend this introduction to Logstash.

For people to be able to help it would be useful if you showed us examples of your data and also described what is and is not working with the configuration you provided. If you can not take the time to describe and provide context around your query, why should I take time trying to decipher what you are looking for?

Badger · February 6, 2019, 1:46pm

The grok works, but that date pattern does not match your timestamp. Try

    date {
        match => ["event_timestamp", "YYYY-MM-dd HH:mm:ss.SSS" ]
    }

Note that this is one of the many patterns that are covered by ISO8601 so you could use

 date {
        match => ["event_timestamp", "ISO8601" ]
 }

as an alternative. In the grok you have called the remainder of the line after the timestamp "message". This results in an event that looks like this

     "@timestamp" => 2019-01-18T01:29:51.835Z,
"event_timestamp" => "2019-01-17 23:29:51.835",
        "message" => [
    [0] "2019-01-17 23:29:51.835 Progress: code is gathering data :Resume",
    [1] "Progress: code is gathering data :Resume"
],

which may not be what you want.

sagarleo · February 7, 2019, 7:03am

Thank You Sir . I'm getting date from logs now but the event_timestamp field is in string format. I want to convert this event_timestamp field into date format so that i can use it in data histogram plot instead of timestamp to plot actual timing of logs.
here is my logstash config file:
input {
beats {
port => "5044"
}
}

The filter part of this file is commented out to indicate that it is

optional.

filter {
grok {
match => [ "message", "%{TIMESTAMP_ISO8601:event_timestamp} %{GREEDYDATA:message}" ]
}

date {
match => ["event_timestamp", "ISO8601"]
}
}

output {
elasticsearch {
hosts => [ "

[details="Summary"]
161This text will be blurred.85.107.64
[/details]
:9200" ]
}
stdout {codec => rubydebug}
}

Christian_Dahlqvist · February 7, 2019, 11:56am

Please show what a sample log line looks like.

system · March 7, 2019, 11:56am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.