Merge date and time field

Bigranawab · July 28, 2020, 8:28am

So, I have been trying to parse fortigate logs using logstash, I came across date and time fields, in fortigate there are two different fields, I tried to parse those fileds
using

mutate {add_field => { "@timestamp" => "%{date} %{time}" }}
date {
    match => [ "@timestamp", "MMM dd yyyy HH:mm:ss", "MMM  d yyyy HH:mm:ss", "ISO8601" ]
    timezone => "Asia/Karachi"
    #target => "@timestamp"
    }

and I got below mentioned ans
date=2020-07-28 time=01:24:44
"@timestamp" => 2020-07-28T08:31:40.739Z
where date is correct by time is 8 rather than 01,
can someone help here

Bigranawab · July 28, 2020, 8:29am

In my original config target field is not commented

warkolm · July 28, 2020, 8:32am

Is that the value of %{date} and %{time}?

Bigranawab · July 28, 2020, 8:41am

yes it is

Jenni · July 28, 2020, 10:07am

I see two problems:

That should have given you a _mutate_error when you tried to overwrite @timestamp with an array (by adding a second value to the existing one) as it has to be a timestamp.
Your date patterns don't match your input.

You can do it like this:

mutate {
    add_field => { "ts" => "%{date}T%{time}" }
}
date {
  match => [ "ts", "ISO8601" ]
  timezone => "Asia/Karachi"
  remove_field => "ts"
}

Topic		Replies	Views
Modify @timestamp Logstash	2	1253	November 25, 2019
Timestamp and @timestamp not properly mapping Logstash	5	1392	October 5, 2017
Dateparsefailure on time field Logstash	4	259	October 6, 2020
How to convert multiple time fields into Logstash timestamp format Logstash	2	1066	July 6, 2017
Parsing log date into timestamp Logstash	2	483	February 8, 2022

Merge date and time field

Related topics