Logstash tcp plugin

Hello,

I need convert a data field to date field. I am working in restore processed, where I get an old file and insert into elasticsearch by logstash.

I received a file with this date format [06/Jun/2022:13:20:01 -0300]. I've tried use many grok patern(SYSLOGTIMESTAMP, TIMESTAMP_ISO8601, DATESTAMP_EVENTLOG) any one work, only data or greedydata.

I parsed this information with this grok: [%{DATA:Data_Evento} -0300], I keep only date and hour. I didn't use -0300.

But I need to convert to date, because I use this information to make search.

I tried use date inside grok.

< date {
match => ["Data_Evento", Date]
target => "Data_Evento" />

But it didn't work.

Is there any grok timestamp format to resolved it ? Or I will need to make a patter_custom to resolve it ?

Regards,

Silas Muniz

Hi Silas

Did you try use mapping template, and put the field data_evento as date on mapping ?

What does your message looks like? Can you share an example?

If you have the field Data_evento with this 06/Jun/2022:13:20:01 value, you can use the following date filter to parse it.

  date {
    match => ["Data_evento", "dd/MMM/yyyy:HH:mm:ss"]
    timezone => "-0300"
  }

Since you removed the timezone information from the date string, you need to configure the timezone option in the date filter since your date has an offset.

@leandrojmp @dmrlixos

I've resolved my problem using date format inside index template.
I configured this date format: dd/MMM/yyyy:HH:mm:ss. Afther that I sent data from logstash.

Thank you !!!

Silas Muniz