Unable to format date and time correctly

sidhusaab · December 27, 2019, 6:00pm

I have been reading on various forums here, on stackoverflow and java pages about date time formatting. I have syslog time stamp which is "Dec 10 01:23:44" format. I simply wanted to add year to the timestamp so I added %{+YYYY}. So now my JSON in elasticsearch looks like this:

I can see the logdate and time being parsed correctly but the fields {} is parsing it with full date stamp but in year 1970. If I combine the two fields together I still get year 1970.

    {
      "_index": "dns1_2019.12.27",
      "_source": {
        "dns_type": "zone_transfer",
        "type": "syslog",
        "@timestamp": "2019-12-27T17:29:23.590Z",
        "logdate": "2019-Dec-27",
        "time": "12:21:13",
      },
      "fields": {
        "@timestamp": [
          "2019-12-27T17:29:23.590Z"
        ],
        "logdate": [
          "1970-12-27T00:00:00.000Z"
        ],
        "time": [
          "1970-01-01T12:21:13.000Z"
        ]
      }
    }

sidhusaab · December 27, 2019, 9:08pm

So I combined the fields together manually creating "dnstimestamp" => "2019-Dec-27 16:05:27" which is now read properly.

This was my working grok before I cleaned up:

                  split => ["dns_timestamp", " "]
                  add_field => { "logdate" => "%{+YYYY}-%{[dns_timestamp][0]}-%{[dns_timestamp][1]}"
                                 "time" => "%{[dns_timestamp][2]}"
                                 "dnstimestamp" => "%{logdate} %{time}"
                               }
                  remove_field => [ "message", "dns_timestamp" ]
          }

system · January 24, 2020, 9:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.