Logstash parse date with custom timezone

spuder · December 21, 2015, 11:59pm

I have logs that have a field "timestamp" with the following format

  { 
    "foo":"bar",
    "timeStamp":"2015/12/12 04:18:15.839Z"
  }

Logstash doesn't recognize this as a time, so it imports it as a string and gives it a new field @timestamp which represents when the log was imported, not created.

Trying to use 'date' filter to convert this into a joda time compatible syntax.

http://joda-time.sourceforge.net/apidocs/org/joda/time/format/DateTimeFormat.html

 filter {
 date {
   match => [ "timeStamp","YYYY/MM/DD hh:mm:ss.SSSz"]
   timezone => "UTC"
 }
}

What would be the correct joda syntax for the following date?

2015/12/12 00:00:00.983Z

I've verified that none of the following work:

match => [ "timeStamp","YYYY/MM/DD hh:mm:ss.SSSz"]
match => [ "timeStamp","YYYY/MM/DD hh:mm:ss.SSSZ"]
match => [ "timeStamp","YYYY/MM/DD hh:mm:ss.SSS"]

Since my logs are always in Zulu time. I've also tried treating the timezone as a literal letter 'Z', with no luck

match => [ "timeStamp","YYYY/MM/DD hh:mm:ss.SSS'Z'"]

I'm not sure how else to parse the trailing timezone ("Z")

Joshua_Rich · December 22, 2015, 12:22am

You need to use dd for day of month. DD is day of year (i.e. count since Jan 1).

spuder · December 22, 2015, 1:31am

Thanks, Here is what I ended up doing that worked. By converting the slashes to dashes, logstash recognized the input as a date.

  mutate {
    gsub => [ "timeStamp", "/", "-"]
  }
  date {
    match => [ "timeStamp" ,"ISO8601"]
  }