Logstash - Trim value

pkaramol · July 3, 2018, 12:27pm

I have huge json files with logs, which are all timestamped in the form

result":{"@timestamp":"2016-11-30T21:59:59.699265Z"

The problem is that due to some reason, the timestamp format is in various forms, e.g. the following may also occur

"result":{"@timestamp":"2016-11-30T21:56:28.000Z"

I am able to parse correctly the second using this pattern:

yyyy-MM-dd'T'HH:mm:ss.000Z

but adjusting it to the first one will not work:

yyyy-MM-dd'T'HH:mm:ss.000000Z

What I want is to trim the field and only keep its first 19 characters, so as to throw away any XXXXXZ patterns;

How can anyone trim a field in logstash?

The following is not working:

  mutate  {
        add_field => [ "custom_time", "%{[result][@timestamp]}" ]
      }

.
.
.
    ruby  {
      code => '
        event.set("custom_time", "custom_time"[0...19])
      '
    }

pkaramol · July 3, 2018, 1:43pm

OK that worked:

  mutate  {
    add_field => [ "custom_time", "%{[result][@timestamp]}" ]
  }


  ruby  {
      code => '
        timevar = event.get("custom_time")
        event.set("custom_time", timevar[0...19])
       '
    }

    date {
        match => [ "[custom_time]", "yyyy-MM-dd'T'HH:mm:ss" ]
        tag_on_failure => ["no_date_match"]
    }

system · July 31, 2018, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.