Mapping timestamp field from catalina logs to elasticsearch

aviral_srivastava · March 30, 2016, 9:21am

My Catalina logs contains timestamp in this format:-
Mar 23, 2016 11:33:14 AM org.apache.catalina.core.AprLifecycleListener init

My goal is to create Date Histogram using timestamp field in kibana.
Since timestamp field is taken as string type by default in kibana. So, timestamp field was not visible when I selected Date Histogram I tried to define the mapping as follows using joda docs:-

POST /catalina_logs_20160330
{"settings":{"number_of_shards":1},"mappings":{"type1"
:{"_source":{"enabled":false},"properties":{
"timestamp":{"type":"date","format":"MMM dd, YYYY hh:mm:ss"},"className":{"type":"string","index":"not_analyzed"},
"methodName":{"type":"string","index":"not_analyzed"},
"message":{"type":"string","index":"not_analyzed"}
}}
}}

But what is the format for AM or PM ???

cbuescher · March 30, 2016, 9:42am

Hi,

According to , http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html, "a" might do the trick.

aviral_srivastava · March 30, 2016, 12:47pm

I tried your approach but I am getting illegal agrument exception.
This is the format of timestamp in logs Mar 23, 2016 11:33:14 AM. Is there any online tool or any other way we can check that we have correctly specified the format.

cbuescher · March 30, 2016, 1:08pm

Can you add your exact mapping, the document you are trying to index and the error message you are seeing?

aviral_srivastava · April 1, 2016, 11:15am

I found an alternative solution to it , i.e., we can use date filter which maps timestamp from our catalina logs to @timestamp in kibana.
While configuring index pattern in kibana we need to select the option.
Index contains time-based events .