Logstash date filter for @timestamp and conversion

griffer98 · August 15, 2019, 3:59pm

I currently have a field called time which has a the time my file was created in this format: dd-MM-yyyy_HHmmss. I would like to change the @timestamp to be the the time of file creation(time from my time field) instead of time it was read into logstash.

This is my date filter

     date
  {
    match => [ "Time" , "dd-MM-yyyy_HHmmss" ]
    target => "@timestamp"
  }

I get a dateparsefailure. How do I get the date filter to change the timestamp not only to my new time but also convert the format something different?

Badger · August 15, 2019, 4:27pm

What does the [Time] field look like if you use this?

output { stdout { codec => rubydebug { } } }

In elasticsearch timestamps are stored as the number of milliseconds since the epoch. You can change the display format in Kibana. If you want to store a different string format you can use ruby.

griffer98 · August 15, 2019, 4:30pm

Time looks like this: 03-DEC-2017_140455
I want to convert it into ISO format and make it the @timestamp

Badger · August 15, 2019, 5:21pm

date { match => [ "Time", "dd-MMM-YYYY_HHmmss" ] }

MM matches numeric month 01-12. MMM matches the abbreviated name.

griffer98 · August 15, 2019, 5:33pm

Thank you! That was the problem

system · September 12, 2019, 5:33pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.