Parse string to date and have difference between 2 dates

Pierre_What_s_Up_Sca · February 16, 2018, 4:32pm

Hi !
I have a string with this format :

Fri Feb 16 14:30:09 CET 2018

I init a field like this :

mutate {
add_field => { "dateLog" => "%{message}" }
}
mutate {
gsub => [ "dateLog", "INFOS:\s", "" ]
}
mutate {
gsub => [ "dateLog", "\s([0-9.])\s([A-Z])\s([^ ])(\s)([^ ])\s([^ ])\s([^ ]\s[A-Za-z]\s[0-9]\s[0-9:]\s[A-Z]\s[0-9])\s([0-9]{3})\s([0-9.-])\s([0-9.-])\s[A-Za-z0-9-]\s[^ ]\s[^ ]\s[^ ]\s", "" ]
}

The string format is ok, no problem with this but I need to convert it to date, and have the difference with @timestamp.

How can I do ?

Do you have an exemple for me ?

cb2015 · February 16, 2018, 4:44pm

Have you looked into the date filter to convert the string into a date more simply than your regex?
https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html

From there, I think you could use the elapsed plugin to find the time difference you want. https://www.elastic.co/guide/en/logstash/6.2/plugins-filters-elapsed.html

Pierre_What_s_Up_Sca · February 16, 2018, 4:51pm

thank you for your reply : I tried this but it does not work :
date {
match => [ "dateLog", "MMM d H:mm:ss yyyy" ]
}

Badger · February 16, 2018, 4:59pm

That does not match "MMM d H:mm:ss yyyy". There is a day of the week (EEE) and an identity timezone (ZZZ) in there.

rcowart · February 16, 2018, 5:00pm

I used this recently at a customer, and it might help point you in the right direction...

# Convert the dates to a proper timestamp.
date {
  match => [ "BEGIN", "dd/MM/YYYY HH:mm:ss.SSSSSS" ]
  timezone => "UTC"
  target => "BEGIN"
}
date {
  match => [ "LAST", "dd/MM/YYYY HH:mm:ss.SSSSSS" ]
  timezone => "UTC"
  target => "LAST"
}

# If the dates parsed properly calculate the runtime in seconds (precision is ms).
if "_dateparsefailure" not in [tags] {
  ruby {
    code => "
      event.set('[RUNTIME_SEC]', (event.get('[LAST]').to_f - event.get('[BEGIN]').to_f).round(3));
    "
  }
}

Pierre_What_s_Up_Sca · February 17, 2018, 8:09am

So how can I do ?

Pierre_What_s_Up_Sca · February 17, 2018, 8:10am

Thank you for your reply I will test it when I succeed to parse my string

Badger · February 17, 2018, 1:57pm

That would match if dateLog were something like "Feb 16 14:30:09 2018", but you said it is formatted as "Fri Feb 16 14:30:09 CET 2018". So you need to modify the pattern to include items to match the "Fri" and "CET". The pattern has to match every part of the date string.

Pierre_What_s_Up_Sca · February 17, 2018, 2:14pm

     "dateLog" => "Feb 16 14:30:09 2018",

I have change the format like you say, but nothing has changed .... I do not have a field date

Badger · February 17, 2018, 4:06pm

So what exactly does your configuration look like? If I run logstash with this configuration

input { stdin { } }
output { stdout { codec => rubydebug } }
filter { date { match => [ "message", "MMM d H:mm:ss yyyy" ] } }

and feed it Feb 16 14:30:09 2018, then it gets parsed...

    "@timestamp" => 2018-02-16T19:30:09.000Z,
       "message" => "Feb 16 14:30:09 2018",

Pierre_What_s_Up_Sca · February 19, 2018, 7:25am

Yes but how can I inject :
"message" => "Feb 16 14:30:09 2018",
in date format inside ElasticSearch ?

system · March 19, 2018, 7:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.