Replace timestamp by a other field

FR-TheS · July 10, 2017, 2:20pm

Hello everybody,

I know this subject is asked many time but after many try, I don't understand some things...

Here is my data input

"@timestamp" => 2017-07-10T14:12:01.442Z,
"data_completiondate" => 2017-07-01T02:02:35.610Z,
"xdateinserted" => 2017-07-01T00:00:10.153Z,

Here is my filter logstash cfg

 filter {
 	date {
 		match => ["xdateinserted" , "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
 	}
 }

I got a [0] "_dateparsefailure" and don't understand why because my match seems ok for me.
I've tried ISO8601 too.

FR-TheS · July 10, 2017, 3:54pm

I have follow the guide : https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
and got the same result with

> input {
> 	stdin {}
> }

> filter {
>   date {
> 	match => [ "message", "MMM dd HH:mm:ss" ]
>   }
> } 

> output {
> 	stdout {codec => rubydebug}
> }

Input => Apr 17 09:32:01

> {
>     "@timestamp" => 2017-07-10T15:52:13.091Z,
>       "@version" => "1",
>           "host" => "SWPAFRCT801",
>        "message" => "Apr 17 09:32:01\r",
>           "tags" => [
>         [0] "_dateparsefailure"
>     ]
> }

Something is really weird and not understandable...
I'm new on logstash, maybe my fault.

FYI, i'm using logstash 5.4.3 actually

Christian_Dahlqvist · July 10, 2017, 4:00pm

How are you getting the data into Logstash? Might it be that those fields are already dates, and not strings?

FR-TheS · July 10, 2017, 4:05pm

In first post, it's a datetime field getting on an sql server,
Second post, it's directly on input so I think it's a string ?

Christian_Dahlqvist · July 10, 2017, 4:09pm

What does the event look like if you output it to a stdout output plugin with a rubydebug codec?

FR-TheS · July 10, 2017, 4:16pm

a dateparsefailure.

> {
>        "@timestamp" => 2017-07-10T16:16:01.944Z,
>     "xdateinserted" => 2017-07-01T00:00:10.153Z,
>          "@version" => "1",
>              "tags" => [
>         [0] "_dateparsefailure"
>     ]
> }

Configuration :
> filter {
> date {
> match => ["xdateinserted" , "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
> }
> }
> output {
> stdout {codec => rubydebug}
> }

FR-TheS · July 11, 2017, 10:02am

Any news ?

Christian_Dahlqvist · July 11, 2017, 10:13am

As far as I can see it looks like it may already be a date field as there are no quotation marks to indicate that it is a string.

FR-TheS · July 11, 2017, 11:25am

Thanks for the return.
Yes it's already a date field from sql server but how can I replace the default timestamp by this value?
And why when I tried the action of my second msg, it's again a dateparsefailure from string input?

Just want to understand, sorry.

Leandro_Sampaio · July 11, 2017, 11:40am

Use a function date .... It's the best solution .

magnusbaeck · July 11, 2017, 2:58pm

Yes it's already a date field from sql server but how can I replace the default timestamp by this value?

You can just use a mutate filter to copy the field value.

And why when I tried the action of my second msg, it's again a dateparsefailure from string input?

github.com/logstash-plugins/logstash-filter-date

Date filter fails to parse timestamps

opened 05:09AM - 28 Apr 17 UTC

magnusbaeck

When using the jdbc input to fetch events from a database, timestamp fields end …up as timestamp fields in Logstash. One could argue that this is a feature, but it causes confusion since those fields apparently can't be processed by the date filter. Could we either call to_s on the source string or check if the source already is a timestamp and, if so, just copy it to the destination field? See https://discuss.elastic.co/t/trouble-matching-timestamp/83768 for an example.

system · August 8, 2017, 3:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.