Mutate or reformat Winlogbeat timestamp

jalcock · June 6, 2017, 12:31pm

Hello,

I am ingesting winlogbeat to Logstash. For specific events, I am outputting those events to a third party SIEM.

The @timestamp field is set to YYYY-MM-DDTHH:MM:SS.milliZ

Is it possible to reformat/mutate the field (or create a new field) to remove the T, millisecond, and Z offset? Is this a gsub or date filter solution? I am outputting the events using a specific codec to use the third party plugins for log parsing.

Apologies if this is blindingly obvious as I've been looking around and swear I must be missing something.

Would you use the date filter to match the above format, add a new field, and set the date filter target to that new field....then is it possible to mutate that field once it is set to a date field?

date {
match => { "@timestamp", "YYYY-MM-ddTHH:mm:ss.SSSZ" }
add_field => { "mynewtimestamp" }
target => { "mynewtimestamp" }
}
[ insert some sort of mutate that I don't know ]

magnusbaeck · June 8, 2017, 7:40pm

The date filter produces timestamps in a particular format. You'll have to use a ruby filter to write a piece of Ruby code to format the timestamp in another way. This might work (adjust time pattern to taste):

event.set('mytimestamp', event.get('@timestamp').time.strftime('%Y-%m-%d %H:%M:%s'))

jalcock · June 12, 2017, 1:23pm

Thank you, this is exactly what I need.

DISREGARD

I updated the code as it was outputting milliseconds instead of seconds.

Working code:

ruby {
    code => "event.set('mytimestamp', event.get('@timestamp').time.strftime('%Y-%m-%d %H:%M:%S'))"
}

system · July 10, 2017, 1:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.