Merge date and time field

Bigranawab · July 28, 2020, 8:28am

So, I have been trying to parse fortigate logs using logstash, I came across date and time fields, in fortigate there are two different fields, I tried to parse those fileds
using

mutate {add_field => { "@timestamp" => "%{date} %{time}" }}
date {
    match => [ "@timestamp", "MMM dd yyyy HH:mm:ss", "MMM  d yyyy HH:mm:ss", "ISO8601" ]
    timezone => "Asia/Karachi"
    #target => "@timestamp"
    }

and I got below mentioned ans
date=2020-07-28 time=01:24:44
"@timestamp" => 2020-07-28T08:31:40.739Z
where date is correct by time is 8 rather than 01,
can someone help here

Bigranawab · July 28, 2020, 8:29am

In my original config target field is not commented

warkolm · July 28, 2020, 8:32am

Is that the value of %{date} and %{time}?

Bigranawab · July 28, 2020, 8:41am

yes it is

Jenni · July 28, 2020, 10:07am

I see two problems:

That should have given you a _mutate_error when you tried to overwrite @timestamp with an array (by adding a second value to the existing one) as it has to be a timestamp.
Your date patterns don't match your input.

You can do it like this:

mutate {
    add_field => { "ts" => "%{date}T%{time}" }
}
date {
  match => [ "ts", "ISO8601" ]
  timezone => "Asia/Karachi"
  remove_field => "ts"
}

system · August 25, 2020, 10:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dateparsefailure on time field Logstash	4	242	October 6, 2020
Timestamp and @timestamp not properly mapping Logstash	5	1342	October 5, 2017
Parsing date_field with date plugin and set it as @timestamp Logstash	3	259	October 21, 2020
Help with Date Logstash	6	589	December 16, 2016
How to parse date field into @timestamp Logstash	18	35172	December 12, 2017

Merge date and time field

Related topics