Split timestamp to date and time

mohamad.faisel · October 1, 2019, 7:13am

Hi,

How do I split timestamp field and store the result into timestamp_date and timestamp_time in logstash.

Thank you.

mohamad.faisel · October 2, 2019, 2:42am

I manage to get both date and time into saperate variables. Here is my script:

#Logstash filter
#/etc/logstash/patterns/ contains pfsense2-4-grok downloaded from https://github.com/patrickjennings/logstash-pfsense/blob/master/patterns/pfsense2-4.grok
filter{
    grok{
        patterns_dir => "/etc/logstash/patterns"
        match => [
            "message", "%{TIMESTAMP_ISO8601:timestamp} %{WORD:pf_host} filterlog: %{PFSENSE_LOG_DATA}%{PFSENSE_IP_SPECIFIC_DATA}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}",
            "message", "%{TIMESTAMP_ISO8601:timestamp} %{WORD:pf_host} filterlog: %{PFSENSE_LOG_DATA}%{PFSENSE_IPv4_SPECIFIC_DATA_ECN}%{PFSENSE_IP_DATA}%{PFSENSE_PROTOCOL_DATA}"
        ]
    }
    mutate {
        # Add 2 fields for date and time and set their value to timestamp
        add_field => { "timestamp_date"=> "%{timestamp}" }
        add_field => { "timestamp_time"=> "%{timestamp}" }
    }
    mutate {
        # Remove time section
        gsub => ["timestamp_date", "T\d{2}:\d{2}:\d{2}((.\d{3}Z)|([+\-]\d{2}:\d{2}))", ""]
    }
    mutate {
        # Remove date section
        gsub => ["timestamp_time", "\d{4}-\d{2}-\d{2}T", ""]
    }
    date {
        match => ["timestamp", "ISO8601"]
    }
}

However, I notice that my @timestamp is wrong. The system took the current date instead of the logged date. I might have missed some config lines here.

Please assist.

Thanks.

Badger · October 2, 2019, 12:35pm

What does the [timestamp] field look like?

mohamad.faisel · October 3, 2019, 2:06am

The image was below taken from Kibana showing all the extracted fields.

From the above image, please note the following :

Text highlighted in RED is @timestamp field which refers to the execution time
Text highlighted in BLUE is timestamp field which refers to the actual event time extracted from the log

Question : How do I make @timestamp having the same value as timestamp ?

Thank you.

Badger · October 3, 2019, 2:10pm

Please do not post pictures of text, just post the text. You can copy and paste it from the JSON tab in Kibana. Use markdown to make sure it is formatted correctly in the preview pane to the right of the edit pane.

mohamad.faisel · October 4, 2019, 2:59am

Dear Badger,

Sorry about that. Will do as recommended in the future.

Thanks.

system · November 1, 2019, 2:59am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Convert field containing a timestamp from string to a date / time or timestamp? Logstash	48	6639	April 6, 2021
Split date(yyyymmdd:hhmmss) and convert into default timestamp logstash Logstash	5	2583	March 30, 2017
Time field conversion Logstash	5	1345	September 12, 2018
Log timestamp filed converting as time filter field Logstash	3	369	June 7, 2019
Dateparsefailure on time field Logstash	4	242	October 6, 2020

Split timestamp to date and time

Related topics