Parsing date for @timestamp

I have a timestamp in my CSV file that's in this format: 3/3/2013 21:53

However, sometimes the format will change to:
3/4/2013 1:05

When I use this configuration file, it makes the timestamp the time I inject the data to logstash. I've spent all day trying to figure this out, can any body can point me in the right direction?

input {
file {
path => "/usr/share/logstash/bin/marx-geo.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => plain {
charset => "ISO-8859-1"
}
}
}
filter {
date {
match => ["DateTime","M/dd/yyyy HH:mm", "M/d/yyyy H:mm"]
target => "@timestamp"
}
csv {
separator => ","
columns =>["DateTime","Host","Src","Proto","Type","Spt","Dpt","SrcStr","CC","Country","Locale","LocaleBB","$

}

}

output {
elasticsearch {
hosts => "http://192.168.30.11:9200"
index => "geo023"
}
}

First, the date filter that parses the [DateTime] filter has to come after the csv filter that creates it.

Secondly, in many cases a single character in a date filter will match both one- and two-digit fields, so you may well be able to remove the "M/dd/yyyy HH:mm" and just match against "M/d/yyyy H:mm". (You will need the mm to match 05.)

1 Like

Thank you so much it works!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.