Develop Reference

Date filter in logstash: bad results(shows one day back)

I am loading a CSV file into elastic using logstash
This CSV file contains a column 'deadline' which has dates of the format
"deadline": "15-06-2014"
I am using the date filter plugin in logstash to get this in date format into elastic
date {
match => ["deadline","dd-MM-yyyy"]
target => "deadline_date"
}
But in the output I am receiving the date which has moved one day back
"deadline_date": "2014-06-14T18:30:00.000Z"
I have one more instance with format like this "dd-MM-yyyy HH:mm"
date {
match => ["launched","dd-MM-yyyy HH:mm"]
target => "launched_date"
}
Gives result with time changed
"launched": "09-09-2013 18:19"
"launched_date": "2013-09-09T12:49:00.000Z"
Please help me figure out this issue.

You're missing your timezone:
date {
match => ["deadline","dd-MM-yyyy"]
target => "deadline_date"
timezone => "Etc/GMT"
}

date format convertion in logstash elk stack

I have a date column in my table that I fetch using jdbc input in logstash. The problem is logstash gives a wrong value to elasticsearch stack.
For example if I have a date start_date="2018-03-01" in elasticsearch I would get the value "2018-02-28 23:00:00.000".
What I want is to keep the format of start_date or at least output the value "2018-03-01 00:00:00.000" to elasticsearch.
I tried to use this filter :
date {
timezone => "UTC"
match => ["start_date" , "ISO8601", "yyyy-MM-dd HH:mm:ss"]
}
but it didn't work.

It is because, you are trying to convert it to UTC timezone. You need to change your configuration like this:
date {
match => ["start_date" , "yyyy-MM-dd"]
}
This would be enough to parse your date.
Let me know if that works.

Add extra value to field before sending to elasticsearch

I'm using logstash, filebeat and grok to send data from logs to my elastisearch instance. This is the grok configuration in the pipe
filter {
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:messageDate} %{GREEDYDATA:messagge}"
}
}
}
This works fine, the issue is that messageDate is in this format Jan 15 11:18:25 and it doesn't have a year entry.
Now, i actually know the year these files were created in and i was wondering if it is possible to add the value to the field during the process, that is, somehow turn Jan 15 11:18:25 into 2016 Jan 15 11:18:25 before sending to elasticsearch (obviously without editing the files, which i could do and even with ease but it'll be a temporary fix to what i have to do and not a definitive solution)
I have tried googling if it was possible but no luck...

Valepu,
The only way to modify the data from a field is using the ruby filter:
filter {
ruby {
code => "#your code here#"
}
}
For more information like...how to get,set field values, here is the link:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-ruby.html

If you have a separate field for date as a string, you can use logstash date plugin:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
If you don't have it as a separate field (as in this case) use this site to construct your own grok pattern:
http://grokconstructor.appspot.com/do/match
I made this to preprocess the values:
%{YEAR:yearVal} %{MONTH:monthVal} %{NUMBER:dayVal} %{TIME:timeVal} %{GREEDYDATA:message}
Not the most elegant I guess, but you get the values in different fields. Using this you can create your own date field and parse it with date filter so you will get a comparable value or you can use these fields by themselves. I'm sure there is a better solution, for example you could make your own grok pattern and use that, but I'm gonna leave some exploration for you too. :)

By reading thoroughly the grok documentation i found what google couldn't find for me and which i apparently missed the first time i read that page
https://www.elastic.co/guide/en/logstash/current/plugins-filters-grok.html#plugins-filters-grok-add_field
Using the add_field and remove_field options i managed to add the year to my date, then i used the date plugin to send it to logstash as a timestamp. My filter configuration now looks like this
filter {
grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:tMessageDate} %{GREEDYDATA:messagge}"
add_field => { "messageDate" => "2016 %{tMessageDate}" }
remove_field => ["tMessageDate"]
}
}
date {
match => [ "messageDate", "YYYY MMM dd HH:mm:ss"]
}
}
And it worked fine

Syslog timestamp without year?

I am backfilling my logs into Elasticsearch. So for creating an index by log date in it's timestamp, I use date filter like this:
date {
"locale" => "en"
match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]
target => "#timestamp"
}
I am using logs from syslog, and syslog timestamp format doest not have year:
# Syslog Dates: Month Day HH:MM:SS
SYSLOGTIMESTAMP %{MONTH} +%{MONTHDAY} %{TIME}
So after using date filter, the index created is like logstash-2015.12.26
if I am reading a log of 26th Dec 2014. So since timestamp is not available in log, it's picking the current year by default.
Any idea how to make the correct index?

Absent a year in the string being parsed by Joda Time, Logstash currently defaults to the year the Logstash process was started. See github.com/logstash-plugins/logstash-filter-date bug #3. As a temporary workaround, add a temporary filter to append the correct year (2014) to the end of the timestamp field and adjust your date filter pattern to include YYYY.
filter {
mutate {
replace => ["timestamp", "%{timestamp} 2014"]
}
date {
locale => "en"
match => ["timestamp",
"MMM d HH:mm:ss YYYY",
"MMM dd HH:mm:ss YYYY",
"ISO8601"]
}
}

You can convert your string of date to a date format using date filter. By default, when you use date filter, the date (or datetime) of your log will overwritte the #timestamp.
So, in your filter you don't need target. You just use it if you want convert a variable string to date.
Example:
match => ["timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]

If the log files you are loading have the year in the filename, you can extract it using a grok filter, create a new field that has the date you've pulled from the syslog plus the year from the filename.
An example of how to extract the date/time from filename can be found here: Logstash: How to use date/time in a filename as an imported field

Using a ruby function, I was able to dynamically set the date to the previous year (If the log date is greater than present YYYY). The event date is read, and computed to see if its greater than the current system date. If YES, subtract 365 days, and overwrite the timestamp.
ruby {
code => 'require "date"
am_date = "%b %d %H:%M:%S"
parsed=DateTime.strptime(event.get("timestamp"), am_date)
m_now=DateTime.now
if parsed>m_now
parsed=parsed-365
else
parsed=parsed
end
event.set("timestamp", parsed.to_s) '
}
This will prevent any hard-coding of dates.

Convert a string field to date

So, I have a two fields in my log: timeLogged, timeQueued all this fields have date format: 2014-06-14 19:41:21+0000
My question is, how to convert string date value to logstash date? like in #timestamp

For the sole purpose of converting to #timestamp there is a dedicated date filter
date {
match => ["timeLogged","YYYY-MM-dd HH:mm:ss+SSSS"]
}
Now in your case there are basically two types of fields that might be used so you will have to dig a little, either use a grok filter to copy the values in a generic "log_date" field, or trying to see if the date filter can take several arguments like one of thoses possibilities:
date {
match => ["timeLogged","YYYY-MM-dd HH:mm:ss+SSSS",
"timeQueued","YYYY-MM-dd HH:mm:ss+SSSS" ]
}
OR
date {
match => ["timeLogged","YYYY-MM-dd HH:mm:ss+SSSS"]
match => ["timeQueued","YYYY-MM-dd HH:mm:ss+SSSS"]
}
It is up to you to experiment, I never tried myself ;)

this should suffice
date{
match => [ "timeLogged","ISO8601","YYYY-MM-dd HH:mm:ss" ]
target => "timeLogged"
locale => "en"
}

You can try this filter
filter {
ruby {
code => "
event['timeLogged'] = Time.parse(event['timeLogged'])
event['timeQueued'] = Time.parse(event['timeQueued'])
"
}
}
Use the powerful ruby library to do what you need!