I need convert a data field to date field. I am working in restore processed, where I get an old file and insert into elasticsearch by logstash.
I received a file with this date format [06/Jun/2022:13:20:01 -0300]. I've tried use many grok patern(SYSLOGTIMESTAMP, TIMESTAMP_ISO8601, DATESTAMP_EVENTLOG) any one work, only data or greedydata.
I parsed this information with this grok: [%{DATA:Data_Evento} -0300], I keep only date and hour. I didn't use -0300.
But I need to convert to date, because I use this information to make search.
I tried use date inside grok.
< date {
match => ["Data_Evento", Date]
target => "Data_Evento" />
But it didn't work.
Is there any grok timestamp format to resolved it ? Or I will need to make a patter_custom to resolve it ?
What does your message looks like? Can you share an example?
If you have the field Data_evento with this 06/Jun/2022:13:20:01 value, you can use the following date filter to parse it.
date {
match => ["Data_evento", "dd/MMM/yyyy:HH:mm:ss"]
timezone => "-0300"
}
Since you removed the timezone information from the date string, you need to configure the timezone option in the date filter since your date has an offset.
I've resolved my problem using date format inside index template.
I configured this date format: dd/MMM/yyyy:HH:mm:ss. Afther that I sent data from logstash.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.