Unable to convert fields into DATE type in Logstash

mangeshmj1992 · July 28, 2022, 8:12am

Hello team,
I am unbale to convert field into data type. Can you please help me on this. Format is coming as Text only

Sample Log:

CIG,CCI05_05_NRW_22102020043728_000014635.txt,26/07/2022 04:37:50,26/07/2022 04:42:12,CCI05_05_NRW_22102020043728_000014635.txt,26-07-2022 03:00,26-07-2022 04:42,CCI05_05_NRW_22102020043728_000014635.txt,04:42:33,,,SENT_FROM_BPM,,,,,

GROK:

%{GREEDYDATA},\s*%{DATE:date1}\s*%{TIME:time1}\,\s*%{DATE:date2}\s*%{TIME:time2}

Logstash Conf:

input {
  beats {
    port => 5044
  }
}

filter {
	grok {
	 match => { "message" => "%{GREEDYDATA},\s*%{DATE:date1}\s*%{TIME:time1}\,\s*%{DATE:date2}\s*%{TIME:time2}"
	 }
	 }
		mutate {
			add_field => {
				"Source_Creation_Date" => "%{date1} %{time1}"
				"Source_updation_Date" => "%{date2} %{time2}"
			}
		}
			date {
				match => [ "Source_Creation_Date", "dd/MM/yyyy HH:mm:ss", "dd/MM/yyyy  HH:mm:ss" ]
      }
	  date {
				match => [ "Source_updation_Date", "dd/MM/yyyy HH:mm:ss", "dd/MM/yyyy  HH:mm:ss" ]
      }
    }

output {
  elasticsearch {
   hosts => ["http://localhost:9200"]
   index => "testindexdata6"
  }
  stdout { codec => rubydebug }
}

Ofir_Edi · July 28, 2022, 10:35am

Hi @mangeshmj1992
date filter in Logstash is used to override @timestamp field with other value to your choice.
If you want Elasticseach to treat Source_Creation_Date and Source_updation_Date as dates then you can set the appropriate mapping when creating the index (using index template or manually).
e.g. manually (using kibana dev tools - if index exists delete it first as mapping cannot be changed):
PUT testindexdata6

{
  "mappings": {
    "properties": {
      "Source_Creation_Date": {
        "type": "date",
        "format": "dd/MM/yyyy HH:mm:ss"
      },
      "Source_updation_Date": {
        "type": "date",
        "format": "dd/MM/yyyy HH:mm:ss"
      }
    }
  }
}

You can remove date filters from Logstash pipeline
Bear in mind that you are not using timezone which can be fine if your data is from same timezone but is less recommended. Elasticsearch & Kibana "now" operator is always compared to UTC time.

system · August 25, 2022, 10:35am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Converting string(Time) field to date field...! Logstash	5	1081	September 14, 2017
How to change data type for date field? Logstash	5	16734	July 6, 2017
Convert String to Date field Logstash	3	369	April 26, 2023
Logstash tcp plugin Logstash	4	217	December 22, 2022
Cant convert timestamp field from text to date Kibana	1	179	March 22, 2023

Unable to convert fields into DATE type in Logstash

Related Topics