Logstash - Trim value

pkaramol · July 3, 2018, 12:27pm

I have huge json files with logs, which are all timestamped in the form

result":{"@timestamp":"2016-11-30T21:59:59.699265Z"

The problem is that due to some reason, the timestamp format is in various forms, e.g. the following may also occur

"result":{"@timestamp":"2016-11-30T21:56:28.000Z"

I am able to parse correctly the second using this pattern:

yyyy-MM-dd'T'HH:mm:ss.000Z

but adjusting it to the first one will not work:

yyyy-MM-dd'T'HH:mm:ss.000000Z

What I want is to trim the field and only keep its first 19 characters, so as to throw away any XXXXXZ patterns;

How can anyone trim a field in logstash?

The following is not working:

  mutate  {
        add_field => [ "custom_time", "%{[result][@timestamp]}" ]
      }

.
.
.
    ruby  {
      code => '
        event.set("custom_time", "custom_time"[0...19])
      '
    }

pkaramol · July 3, 2018, 1:43pm

OK that worked:

  mutate  {
    add_field => [ "custom_time", "%{[result][@timestamp]}" ]
  }


  ruby  {
      code => '
        timevar = event.get("custom_time")
        event.set("custom_time", timevar[0...19])
       '
    }

    date {
        match => [ "[custom_time]", "yyyy-MM-dd'T'HH:mm:ss" ]
        tag_on_failure => ["no_date_match"]
    }

system · July 31, 2018, 1:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trim from only one field Logstash	1	651	July 6, 2017
Logstash Does not extract timestamp from JSON Logstash	6	4950	July 6, 2017
How to convert timestamp in logstash Logstash	3	901	July 13, 2017
Optimizing Datefield processing by moving from date{} to ruby code Logstash	1	276	February 17, 2020
Modify @timestamp Logstash	2	1219	November 25, 2019

Logstash - Trim value

Related topics