Unble to convert to date string field

casquero · June 22, 2021, 1:52pm

I've tried to create a new field as date but always appears as string in Kibana, I've done the following:

  mutate {
    add_field => {
      "timestampTest" => "%{localisodate}"
    }
  }
  date {
    match => ["timestampTest", "YYYY.MM.dd"]
    target => "@timestamp"
  }

localisodate is a field captured in an event like:

code => 'myArray=event.get("message").split("|", -1)
event.set("localisodate",myArray[0])

Result in kibana:

elasticforme · June 22, 2021, 1:55pm

because you are not changing timestampTest with date

here is you have problem.

date {
match => ["timestampTest", "YYYY.MM.dd"]
target => "timestampTest"
}

casquero · June 22, 2021, 1:59pm

After changing the target still persits as String

date {
    match => ["timestampTest", "YYYY.MM.dd"]
    target => "timestampTest"
  }

casquero · June 22, 2021, 1:59pm

I've also created a new Kibana index

elasticforme · June 22, 2021, 2:01pm

what is the output when you run this on commandline?

casquero · June 22, 2021, 2:04pm

What do u mean with running in commandline? I am noob with ELK...

elasticforme · June 22, 2021, 2:08pm

ok what is your original timestampTest value? 2021.06.20 something like this?

casquero · June 22, 2021, 2:12pm

The field comes from different log traces and it takes several values, like this:

elasticforme · June 22, 2021, 2:53pm

ok. your original post didn't had this and hence no way to tell anything.
your date matching is wrong.

and please don't post pic. as we can't cut-paste from it.

Here are some example
2021-06-22
date { match => ["timestampTest", "yyyy-MM-dd"]
target => "timestampTest" }

2021-06-22 16:12:12
date { match => ["timestampTest", "yyyy-MM-dd HH:mm:ss"]
target => "timestampTest" }

2021-06-22 16:12:12,413
date { match => ["timestampTest", "yyyy-MM-dd HH:mm:ss,SSS"]
target => "timestampTest" }

and for your original message
2021-06-2216:12:12,413
date { match => ["timestampTest", "yyyy-MM-ddHH:mm:ss,SSS"]
target => "timestampTest" }

Here is how do quick test for any small test like this. There is also way you can do it from whole thing on command line.

I have quick_test.conf file

input {
   generator {
     message => '{"num": 101, "timestampTest":"2021-06-2216:12:12,413"}' 
      count => 1
   }
}

filter {
   json { source => "message" }
     date { match => ["timestampTest", "yyyy-MM-ddHH:mm:ss,SSS"]
          target => "timestampTest" }
}

output   {
 stdout { codec => rubydebug }
}

and then I run this from command line

/usr/share/logstash/bin/logstash -f quick_test.conf

casquero · June 22, 2021, 6:14pm

that worked thanks!

elasticforme · June 22, 2021, 6:30pm

Great, mark thread as solved, that way if someone else search on it. they will easily know it

system · July 20, 2021, 6:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.