Using Logstash to correct timestamps

I'm very new to the ELK stack.

I have several logs that starts collecting data before the systems time is set. The result is I have several hundred log entries with in accurate time stamps.

Is there a way I can edit the incorrect timestamps in logstash based on the 1st correct entry in the log? Or is there a way to edit them after they have been entered into Elasticsearch?

show us the example

Here is sample logstash filter code that limits timestamps from being more than 3 days from now:

#
# if event timestamp skewed more than 3 days....
#
  ruby {
    code => 'if ( Time.now.to_i - event.get("@timestamp").to_i ).abs > 259200 
                 event.tag("timeskew")
                 event.set("timeskew_original_timestamp", event.get("@timestamp"))
                 event.set("@timestamp", LogStash::Timestamp.at(Time.now))
             end'
    tag_on_exception => "rubyexception"
  }

An example log would be something like this:

20000101T000531 AOSC 17061199 [EVENT]: 01/01/00 00:05:31 AOSC --- Info --- MCCC Bad entered
20000101T000540 AOSC 17061199 [EVENT]: 01/01/00 00:05:40 AOSC --- Warning --- MCCCSubSocket Timeout :->1212
20000101T000540 AOSC 17061199 [EVENT]: 01/01/00 00:05:40 AOSC --- Warning --- MCCCSubSocket Timeout :->6161
20000101T000540 AOSC 17061199 [EVENT]: 01/01/00 00:05:40 AOSC --- Warning --- MCCCSubSocket Timeout :->8484
20000101T000540 AOSC 17061199 [EVENT]: 01/01/00 00:05:40 AOSC --- Warning --- MCCCSubSocket Timeout :->7777
20000101T000542 AOSC 17061199 [ERROR]: 01/01/00 00:05:42 AOSC --- ERROR --- DCU timed out
20000101T000542 AOSC 17061199 [ERROR]: 01/01/00 00:05:42 AOSC --- ERROR --- Switch timed out
20000101T000542 AOSC 17061199 [ERROR]: 01/01/00 00:05:42 AOSC --- ERROR --- UPS timed out
20191001T140025 DCU NULL [EVENT]: Initialized LOG port
20191001T140025 DCU NULL [EVENT]: Using ARINC 429 card #0
20191001T140025 DCU NULL [EVENT]: Using ARINC 429 core #0
20191001T140025 DCU NULL [EVENT]: Using 429 channel #4
20191001T140025 DCU NULL [EVENT]: Using 575 channel #5
20191001T140025 DCU NULL [EVENT]: Using CARA channel #6

I need the dates from 2000 to match the dates the log was created (20191001 in this case) but the date the log gets created is not necessarily the date it is ingested by logstash.

is this correct date enter? sorry but I still do not understand your question.
which date is wrong? which date it should be?
First eight line are wrong date entry? and correct entry is from line 9th?

Some devices, particularly network devices, apparently don't have a battery clock and start logging before they sync to a time server. We have some that log to linux epoch 0 (1/1/1970), others to some 1980 date, some to just some randomly wrong date (maybe they have a battery clock that has drifted).

Sorry I wasn't clear. All of the lines are part of the same log file.

The first 8 lines in my example are recorded with the wrong date/time and need to be corrected.

Line 9 is the first correct date/time.

So my question is this:
Is there a way I can correct the date/time of the first 8 lines using the date/time from the 9th line?

Yeah We know that they system is using some kind of timestamp from the physical hardware before the the correct time gets synced up which causes the problem of when the next log from that system gets entered we lose the the previous logs data because the system is restarted between uses. It's a weird dumb problem but unfortunately it is the way it is.

It could be done with an aggregate filter, but it will not be cheap. Basically if the date on the event is from 2000, shove it into the map, if the date is not from 2000, add the correct date to the map, then push the map as an event, then subsequently use a split filter to split the map into multiple events, and move the date to the correct field.

You will require pipeline.workers set to 1 and pipeline.java_execution set to false.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.