How to special date time format to timestamp format

Elastic Stack Logstash
1

I have a log type that I cannot manipulate. How can I convert the Time format in the log to timestamp format?
Example log: "0001 021222 095725 00240541029896158 11 00 00 0000000000 000 0"
Date and time that comes with the log: 021222 095725
thanks in advance for your help

2

Are you trying to do it via logstash?

If yes, you can use GROK Pattens to match it and using mutate filter you can convert any field to date format.

3

Not sure what a date format do you have.

filter {

	grok {
		match => { "message" => "%{NUMBER:somenum}%{SPACE}%{NUMBER:date1}%{SPACE}%{NUMBER:date2}%{SPACE}" }
	}

	mutate { add_field => { "[date]" => "%{[date1]}%{[date2]}"} }

	date { 
		match => ["date", "MM/dd/yyyy HH:mm:ss"  ]   # put your format
	}
}
4

elkstack
elkstack1087×161 28.8 KB

I want to replace the log time recorded by the system in timestamp

5

Thank you, I will try

6

Code:

filter {

	grok {
		match => { "message" => "%{NUMBER}%{SPACE}%{NUMBER:[@metadata][date]}%{SPACE}%{NUMBER:[@metadata][time]}%{SPACE}" }
	}

	mutate { add_field => { "[@metadata][datetime]" => "%{[@metadata][date]}%{[@metadata][time]}"} }

	date {
		match => ["[@metadata][datetime]", "ddMMyyHHmmss"  ] # put your format
		timezone => "Asia/Dubai" # Set your own or leave it as it is
		target=> "@timestamp" # default destination field
	}
}

Result:

    "@timestamp" => 2022-09-16T13:17:01.000Z,
     "@metadata" => {
            "date" => "160922",
            "time" => "171701",
        "datetime" => "160922171701"
    }
7

I want to use the datetime in the log record because the datetime in the log and the time the logs are read do not match.

our grok filter

 grok {
      match => {"message" => ["%{WORD:TERMINAL_NO} %{MONTHDAY:day}%{MONTHNUM:month}%{YEAR:year} %{HOUR:hour}%{MINUTE:minute}%{SECOND:second} %{WORD:CARD_NUMBER} %{WORD:Event1} %{WORD:Event2} %{WORD:Event3} %{WORD:Event4} %{WORD:Event5} %{WORD:Event6}"] }

      remove_field => "message"
    }
    mutate {
      add_field => { "date" => "%{day}%{month}%{year} %{hour}%{minute}%{second}" }
    }

    date {
      match => ["date", "MM/dd/yyy HH:mm:ss" ]
    }```

result :


[
  {
    "TERMINAL_NO": 13,
    "day": 2,
    "month": 12,
    "year": 22,
    "hour": 11,
    "minute": 59,
    "second": 59,
    "CARD_NUMBER": 1115481172,
    "Event1": 11,
    "Event2": 0,
    "Event3": 0,
    "Event4": 0,
    "Event5": 0,
    "Event6": 0
  }
]```
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.