Replace @timestamp or add new field with time from log file

Elastic Stack Logstash
1

I have below sample log and I need to replace @timestamp or add new field from 15:38:43.335 segment.

-15:38:43.335 U888 ExecuteThread: '3' for queue ...

I used below filter but not worked.

filter {
date {
                match => ["message" , "'-'HH:mm:ss.SSS"]
                target => "@timestamp"
}
2

A date filter has to match the entire field, not just a prefix. You could use dissect (or grok) to parse out the timestamp from the message and then match against just that.

1 Like
3

Thanks for reply.

I used below filter:

dissect {
mapping => { 'message' => '%{@timestamp} %{message}' }
}

but logstash failed because there is an exception in piplenworker for '-' character in front of time. how can remove '-' character and change that format to yyyy-MM-dd HH:mm:ss.SSS in same time?

also I need put that to @timestamp for sorting in kibana dashboard.

4

I found solution from below link:

https://discuss.elastic.co/t/logstash-cannot-assign-correct-date-to-log-timestamp/89249/7?u=pashang

and I used below filter:

filter {
grok { match => {"message" => "(?[0-9]{2}:[0-9]{2}:[0-9]{2}.[0-9]{3})"} }
ruby { code => 'event.set("currentDate", Time.now.strftime("%Y.%m.%d"))' }
ruby { code => 'event.set("logTimestamp", event.get("currentDate") + " " + event.get("logTime"))' }
date { match => ["logTimestamp", "YYYY.MM.dd HH:mm:ss.SSS"] }
}

thanks every one :slight_smile:

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.