Parsing log date into timestamp

phung025 · January 11, 2022, 4:36am

In the JSON-format logs sent from filebeat to logstash, I have a field named "time". In the logstash.conf, I mutate it to create a field in the kibana log called rawDate

logstash.conf:

mutate {
    add_field => {"rawDate" => "%{[parsed_json][time]}"}
}

Now the log on Kibana has 2 fields that look like this:

@timestamp Jan 11, 2022 @ 11:09:46.817
rawDate Mon Jan 10 2022 23:09:32 GMT-0500 (Eastern Standard Time)

I'm trying to parse the rawData to replace the @timestamp but couldn't figure out how to do it. Inside the logstash.conf, I tried to add this but it didn't work:

date {
    match => ["time", "EEE MMM dd yyyy HH:mm:ss ZZZ"]
    target => "@timestamp"
}

Badger · January 11, 2022, 1:31pm

ZZZ matches the ids listed on the Joda TZ page. You will need to modify the string before trying to parse it.

    mutate { add_field => { "rawDate" => "Mon Jan 10 2022 23:09:32 GMT-0500 (Eastern Standard Time)" } }
    mutate { gsub => [ "rawDate", " \(Eastern \w+ Time\)", "", "rawDate", "GMT", "Etc/GMT", "rawDate", "-0(\d)00", "-\1" ] }
    date { match => ["rawDate", "EEE MMM dd yyyy HH:mm:ss ZZZ"] }

system · February 8, 2022, 1:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.