Unble to convert to date string field

casquero · June 22, 2021, 1:52pm

I've tried to create a new field as date but always appears as string in Kibana, I've done the following:

  mutate {
    add_field => {
      "timestampTest" => "%{localisodate}"
    }
  }
  date {
    match => ["timestampTest", "YYYY.MM.dd"]
    target => "@timestamp"
  }

localisodate is a field captured in an event like:

code => 'myArray=event.get("message").split("|", -1)
event.set("localisodate",myArray[0])

Result in kibana:

elasticforme · June 22, 2021, 1:55pm

because you are not changing timestampTest with date

here is you have problem.

date {
match => ["timestampTest", "YYYY.MM.dd"]
target => "timestampTest"
}

casquero · June 22, 2021, 1:59pm

After changing the target still persits as String

date {
    match => ["timestampTest", "YYYY.MM.dd"]
    target => "timestampTest"
  }

casquero · June 22, 2021, 1:59pm

I've also created a new Kibana index

elasticforme · June 22, 2021, 2:01pm

what is the output when you run this on commandline?

casquero · June 22, 2021, 2:04pm

What do u mean with running in commandline? I am noob with ELK...

elasticforme · June 22, 2021, 2:08pm

ok what is your original timestampTest value? 2021.06.20 something like this?

casquero · June 22, 2021, 2:12pm

The field comes from different log traces and it takes several values, like this:

elasticforme · June 22, 2021, 2:53pm

ok. your original post didn't had this and hence no way to tell anything.
your date matching is wrong.

and please don't post pic. as we can't cut-paste from it.

Here are some example
2021-06-22
date { match => ["timestampTest", "yyyy-MM-dd"]
target => "timestampTest" }

2021-06-22 16:12:12
date { match => ["timestampTest", "yyyy-MM-dd HH:mm:ss"]
target => "timestampTest" }

2021-06-22 16:12:12,413
date { match => ["timestampTest", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "timestampTest" }

and for your original message
2021-06-2216:12:12,413
date { match => ["timestampTest", "yyyy-MM-ddHH:mm:ss,SSS"]
target => "timestampTest" }

Here is how do quick test for any small test like this. There is also way you can do it from whole thing on command line.

I have quick_test.conf file

input {
   generator {
     message => '{"num": 101, "timestampTest":"2021-06-2216:12:12,413"}' 
      count => 1
   }
}

filter {
   json { source => "message" }
     date { match => ["timestampTest", "yyyy-MM-ddHH:mm:ss,SSS"]
          target => "timestampTest" }
}

output   {
 stdout { codec => rubydebug }
}

and then I run this from command line

/usr/share/logstash/bin/logstash -f quick_test.conf

casquero · June 22, 2021, 6:14pm

that worked thanks!

elasticforme · June 22, 2021, 6:30pm

Great, mark thread as solved, that way if someone else search on it. they will easily know it

system · July 20, 2021, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to convert field date from String to Date? Logstash	13	9305	April 20, 2020
Converting string to date Logstash	8	51115	July 6, 2017
String to Date, besides default system @timestamp Logstash	3	838	July 6, 2017
Create a new field type date from csv with logstash Logstash	3	322	August 8, 2019
Conver String to date (or replace @timestamp) (SOLVED) Logstash	13	20093	July 6, 2017

Unble to convert to date string field

Related topics