Unble to convert to date string field

casquero · June 22, 2021, 1:52pm

I've tried to create a new field as date but always appears as string in Kibana, I've done the following:

  mutate {
    add_field => {
      "timestampTest" => "%{localisodate}"
    }
  }
  date {
    match => ["timestampTest", "YYYY.MM.dd"]
    target => "@timestamp"
  }

localisodate is a field captured in an event like:

code => 'myArray=event.get("message").split("|", -1)
event.set("localisodate",myArray[0])

Result in kibana:

elasticforme · June 22, 2021, 1:55pm

because you are not changing timestampTest with date

here is you have problem.

date {
match => ["timestampTest", "YYYY.MM.dd"]
target => "timestampTest"
}

casquero · June 22, 2021, 1:59pm

After changing the target still persits as String

date {
    match => ["timestampTest", "YYYY.MM.dd"]
    target => "timestampTest"
  }

casquero · June 22, 2021, 1:59pm

I've also created a new Kibana index

elasticforme · June 22, 2021, 2:01pm

what is the output when you run this on commandline?

casquero · June 22, 2021, 2:04pm

What do u mean with running in commandline? I am noob with ELK...

elasticforme · June 22, 2021, 2:08pm

ok what is your original timestampTest value? 2021.06.20 something like this?

casquero · June 22, 2021, 2:12pm

The field comes from different log traces and it takes several values, like this:

elasticforme · June 22, 2021, 2:53pm

ok. your original post didn't had this and hence no way to tell anything.
your date matching is wrong.

and please don't post pic. as we can't cut-paste from it.

Here are some example
2021-06-22
date { match => ["timestampTest", "yyyy-MM-dd"]
target => "timestampTest" }

2021-06-22 16:12:12
date { match => ["timestampTest", "yyyy-MM-dd HH:mm:ss"]
target => "timestampTest" }

2021-06-22 16:12:12,413
date { match => ["timestampTest", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "timestampTest" }

and for your original message
2021-06-2216:12:12,413
date { match => ["timestampTest", "yyyy-MM-ddHH:mm:ss,SSS"]
target => "timestampTest" }

Here is how do quick test for any small test like this. There is also way you can do it from whole thing on command line.

I have quick_test.conf file

input {
   generator {
     message => '{"num": 101, "timestampTest":"2021-06-2216:12:12,413"}' 
      count => 1
   }
}

filter {
   json { source => "message" }
     date { match => ["timestampTest", "yyyy-MM-ddHH:mm:ss,SSS"]
          target => "timestampTest" }
}

output   {
 stdout { codec => rubydebug }
}

and then I run this from command line

/usr/share/logstash/bin/logstash -f quick_test.conf

casquero · June 22, 2021, 6:14pm

that worked thanks!

elasticforme · June 22, 2021, 6:30pm

Great, mark thread as solved, that way if someone else search on it. they will easily know it

Topic		Replies	Views
How to convert field date from String to Date? Logstash	13	9396	April 20, 2020
Create a new field type date from csv with logstash Logstash	3	343	August 8, 2019
How to get date parsing target as a date nor string Logstash	4	392	November 17, 2022
String to date type Logstash	3	298	August 6, 2019
Logstash date field problem Logstash	2	302	April 10, 2020

Unble to convert to date string field

Related topics