Way to sort walltime field with the format of hh:mm:ss

angelsmile · September 11, 2015, 4:48am

Hi,

There is a walltime field in our logs with the format of hh:mm:ss. What is the best format/way for this field in logstash so that we can have a panel in Kibana to sort these walltime data? Currently the field is stored as string, so the data are sorted in alphabet order instead of numeric order. For example for "86:00:00", "48:30:00", "230:00:00", they should be sorted in the order of "230:00:00" "86:00:00" "48:30:00" in Kibana panel, but now they are sorted as "86:00:00" "48:30:00" "230:00:00".

Thanks for your help.

warkolm · September 11, 2015, 7:02am

You should convert these to int's then, either in your grok or with a mutate => convert.

angelsmile · September 11, 2015, 12:02pm

Thanks Mark.

I cannot convert the field to int directly otherwise mm:ss will be trimmed. I tried grok, but got parse failure. Can you see what's wrong?

grok {
  match => [ "walltime", "%{NUMBER:hour}:%{NUMBER:min}:%{NUMBER:sec" ]
}

In case the field can be split to three fields, is it possible to sort multiple fields in a Kibana panel?