i want to make the seconds field from the timestamp field 2015-10-27T00:07:20.168+0000 in logstash 00 and create the new time stamp.
Could u please help me how can i achieve this.
From 2015-10-27T00:07:20.168+0000 to 2015-10-27T00:07:00.168+0000
regards
Dibya
or also how can we make 2015-10-27T00:07:20 to 2015-10-27T00:07:00.
Anyways look forward to somebody's help on this
You can e.g. use the mutate filter's gsub option. If there aren't any milliseconds or a timezone this should work:
mutate {
gsub => ["timestamp", ":\d\d$", ":00"]
}But if there is a timezone and millisecond then how can i go about it
my timestamp is like 2015-10-27T00:07:20.168+0000.
how can i do this to 2015-10-27T00:07:00.168+0000
Well, it's basically the same. It's just that the seconds are followed by a period instead of the $ end-of-string marker. Don't forget that periods need to be escaped to be taken literally.
thanks magnus .you are always a help. Let me try
could you please give me the exact expression of gsub for my timestamp which is with millisecond and timezone
mutate {
gsub => ["timestamp", ":\d\d\.", ":00."]
}not working 
magnus, 1 more thing i want to tell.
I don't want to cut down time zone field . just want to change the seconds field to 00.
Works just fine for me. Over and out.
$ cat test.config
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
mutate {
gsub => ["message", ":\d\d\.", ":00."]
}
}
$ echo '2015-10-27T00:07:20.168+0000' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
{
"message" => "2015-10-27T00:07:00.168+0000",
"@version" => "1",
"@timestamp" => "2015-11-06T15:46:51.272Z",
"host" => "lnxolofon"
}
Logstash shutdown completedyou are right. I had missed the \
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.