Problem to add new date field in filter logstash

shayn · July 11, 2023, 1:10pm

i have date field called case_start_time in format of date and time .
i am trying to add new field called case_day which will cut the date without the time from case_start_time .

case_start_time: 09/07/23 23:54:26

case_day should be 09/07/23

i tried to use this logastash filter :

  filter {
        mutate {
            split => { "case_start_time" => " " }
            add_field => { "case_day" => "%{[case_start_time][0]}" }
        }

and got the array pattern itseld and not the content as required
case_day: %{[case_start_time][0]}

i have also tried to use ruby code

`ruby {code => 'event.set("case_day", event.get("case_start_time").split(" ")[0])'}`

and got
Ruby exception occurred: undefined method `strftime'

also tried

date {
        match => ["case_start_time", "DD/MM/YY  HH:mm:ss" ,"ISO8601"]
        target => "case_day"
        #remove_field => ["case_start_time"]
      }
 mutate {
  
    gsub => ["case_day", "^(\d{2}\/\d{2}\/\d{2}).*$", "\1"]
      }

and got dateparseerror
what is the right filter that i should use ?

leandrojmp · July 11, 2023, 1:34pm

Can you share an example of your document? Because I replicate your filter without any issues and it worked without any issues.

In this case you have an extra space between the date and the time.

shayn · July 12, 2023, 8:50am

I've noticed that the date format i was using were wrong ..
this is the correct date format
yyyy-mm-ddTHH:mm:ss.SSSZ

i changed the match field .
match => ["case_start_time","yyyy-mm-dd HH:mm:ss.SSSZ"]
and got the same error
i tried also to use
match => ["case_start_time","yyyy-mm-dd HH:mm:ss.SSSZ" , " ISO8601"]
but with no luck ..

this is how my document looks like :

"_index": "cust_complaints_2023.07.12",
  "_type": "_doc",
  "_id": "fHp7SIkBhU-YqjIOOT3v",
  "_version": 1,
  "_score": null,
  "_source": {
    "inbox_name": "team mail",
    "emp_name": "emp1",
    "case_id": 999999,
    "@version": "1",
    "tags": [
      "_dateparsefailure"
    ],
    "case_start_time": "2023-07-11T20:53:06.000Z",
    "customer_id": 888888,
    "catgory": "remote_control",
    "case_subject": "test test test",
    "@timestamp": "2023-07-12T05:03:02.522Z",
    "customer_code": "1.24531994",
    "case_note": "test test1 test2"
  },
  "fields": {
    "case_start_time": [
      "2023-07-11T20:53:06.000Z"
    ],
    "@timestamp": [
      "2023-07-12T05:03:02.522Z"
    ]
  },
  "sort": [
    1689108786000
  ]
}

Hemanth_Gowda · July 13, 2023, 12:27pm

match => ["case_start_time","yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
Please use this format and give it a try.

system · August 10, 2023, 12:27pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.