Logstash set hour %{+HH} timezone on strings?

mostolog · February 15, 2017, 5:51pm

Hi

When dealing with Logstash dates, anyone can easily convert a text string date field to a real date (with proper TZ and DST) using date filter:

    date {
        timezone => "Europe/Madrid"
        match => ["mytime", "ISO8601"]
        locale => "es"
    }

(please, notice timezone (and locale) above)

However, I would like to append current hour to a string field and seems:

mutate { replace => { "field" => "%{field}-%{+HH}" } }

it's adding hours in UTC, so it's always 1 hour less than it should.

What's would be the proper way to do it?

Thanks,
Regards

magnusbaeck · February 15, 2017, 6:24pm

The %{+format} notation always uses the @timestamp field which by definition is UTC. This is not configurable.

mostolog · February 16, 2017, 9:09am

Damn it!
Any way to extract HH from @timestamp field (already with TZ and DST?) regex? substring? event['@timestamp][x..y]? Substring in logstash

Regards

magnusbaeck · February 16, 2017, 9:13am

You can use a ruby filter to read the timestamp value in @timestamp. That object might have a strftime() method that you can use.

system · March 16, 2017, 9:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.