Logstash time filter not working

rijinmp · January 11, 2018, 11:13am

My CSV

xyz.com,1/1/2018 12:17:37 PM,62
xyz.com,7/15/2017 1:11:34 AM,62
xyz.com,7/15/2017 1:06:34 AM,62
xyz.com,7/15/2017 1:01:34 AM,78

Filter

filter {

csv {
separator => ","
columns => [
"URL",
"Date",
"Response"
]
}
date {
match => [ "Date","M/d/yyyy H:mm:ss" ]
target => "@timestamp"
}

}

Outpu

"Response" => "62",
"path" => "/home/elastic/elk/samplelog/urlresponse.csv",
"@timestamp" => 2018-01-11T10:45:21.323Z,
"@version" => "1",
"host" => "localhost.localdomain",
"message" => "xyz.com,1/1/2018 12:17:37 PM,62\r",
"URL" => "xyz.com",
"Date" => "1/1/2018 12:17:37 PM",
"tags" => [
[0] "_dateparsefailure"

CSV time id not filtering for @timestamp

i want to use CSV time ( "Date" => "1/1/2018 12:17:37 PM",) for indexing @timestamp.

paz · January 11, 2018, 2:53pm

Your date filter pattern is wrong, it's missing the AM/PM capture flag.

Also you might want to set a timezone on the date filter as well, else it will get your system's timezone and convert to UTC (so unless your system is also on UTC you could have offsets applied in your timestamp).

Try this:

filter {
    csv {
        separator => ","
        columns => ["URL","Date","Response"]
    }
    date {
        match => [ "Date","M/d/yyyy H:mm:ss a" ]
        timezone => "Etc/UTC"
        target => "@timestamp"
    }
}

rijinmp · January 16, 2018, 6:41am

Thank you @paz

system · February 13, 2018, 6:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.