Logstash pull date out of json event

Chris_Clifton · January 10, 2017, 1:53am

Wondering what's best way to pull date and timezone of a structured json event that comes into logstash,

event looks like :

{
"datetime" => {
"date" => "2017-01-10 00:05:25.768826",
"timezone" => "UTC",
"timezone_type" => 3
},
"level_name" => "ERROR",
"@timestamp" => 2017-01-10T01:20:55.811Z,
"level" => 400,
"extra" => [],
"context" => {
"exception" => {
"code" => 0,
"file" => "/var/www/app2/cache/prod/classes.php:4595",
"previous" => {
"code" => 0,
"file" => "/var/www/app2/cache/prod/thisProdMatcher.php:75",
"message" => "",
"class" => "Symfony\Component\Routing\Exception\ResourceNotFoundException"
},
"message" => "No route found for "GET /test"",
"class" => "Symfony\Component\HttpKernel\Exception\NotFoundHttpException"
}
},
"channel" => "request",
"@version" => "1",
"host" => "localhost",
"message" => "Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\NotFoundHttpException: "No route found for "GET /test"" at /var/www/app2/cache/prod/classes.php line 4595",
"tags" => []
}

I thought date filter could match, but not sure syntax to match it.

magnusbaeck · January 10, 2017, 7:10am

date {
  match => ["[datetime][date]", "ISO8601"]
  timezone => "%{[datetime][timezone]}"
}

https://www.elastic.co/guide/en/logstash/current/event-dependent-configuration.html#logstash-config-field-references

Chris_Clifton · January 10, 2017, 9:08pm

That worked, thanks! Had to trim my date field down, date doesn't support 6 digit second precision.

system · February 7, 2017, 9:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.