How to parse timestamp windows event log

Roccof97 · December 6, 2021, 1:15pm

Hello to all,

I have a problem with parsing this field(event.created) with the timestamp, here is the screen:

this is the filter I created:

thanks

aaron-nimocks · December 6, 2021, 1:30pm

Which part of this looks incorrect? It appears that field is being parsed and you are seeing it in Kibana as such.

I would add quotes around ISO8601 but if that was throwing an error I don't think your data in Kibana would look like it was parsed.

filter {
 date {
  match => [ "[event][created]", "ISO8601" ]
 }
}

Roccof97 · December 6, 2021, 2:00pm

my goal is to parse the event.created date in the timestamp, here is the example screenshot.

Unfortunately, with the change you suggested it doesn't work

aaron-nimocks · December 6, 2021, 2:07pm

Understand. Didn't see the @timestamp field in other screenshot.

Have you checked the Logstash logs? If the parsing of the date is failing you should be getting a WARN.

Another thing to check is the value of that field. If it's being create by a filebeat then it should be in ISO8601 which looks like 2016-05-23T08:05:34.857Z. I would just verfiy the value looks correct.

system · January 3, 2022, 2:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
ISO8601 in date filter Logstash	1	1744	August 17, 2017
Logstash date filter and Timestamp Logstash	4	697	August 11, 2020
Date Parser error Logstash	4	2005	July 6, 2017
Logstash : Time Field Logstash	10	2477	February 5, 2018
Date filter in logstash.conf not parsing the date while grok parses it by timestamp_iso8601 Logstash	21	27375	July 6, 2017

How to parse timestamp windows event log

Related topics