Logstash set hour %{+HH} timezone on strings?

mostolog · February 15, 2017, 5:51pm

Hi

When dealing with Logstash dates, anyone can easily convert a text string date field to a real date (with proper TZ and DST) using date filter:

    date {
        timezone => "Europe/Madrid"
        match => ["mytime", "ISO8601"]
        locale => "es"
    }

(please, notice timezone (and locale) above)

However, I would like to append current hour to a string field and seems:

mutate { replace => { "field" => "%{field}-%{+HH}" } }

it's adding hours in UTC, so it's always 1 hour less than it should.

What's would be the proper way to do it?

Thanks,
Regards

magnusbaeck · February 15, 2017, 6:24pm

The %{+format} notation always uses the @timestamp field which by definition is UTC. This is not configurable.

mostolog · February 16, 2017, 9:09am

Damn it!
Any way to extract HH from @timestamp field (already with TZ and DST?) regex? substring? event['@timestamp][x..y]? Substring in logstash

Regards

magnusbaeck · February 16, 2017, 9:13am

You can use a ruby filter to read the timestamp value in @timestamp. That object might have a strftime() method that you can use.

Topic		Replies	Views
Getting hour value from @timestamp in a custom 'hour' field Logstash	5	6303	February 9, 2018
Why my @timestamp shows wrong hour when overwritten? Logstash	3	418	December 26, 2021
Retrieve Hour and Day from Timestamp Logstash	4	1513	February 24, 2020
Use time same with the host local timezone Logstash	2	372	August 6, 2018
Ruby time.strftime Stripping hours from the time Logstash	4	1081	October 6, 2021