Timestamp to date in Logstash - elasticsearch

I am trying to convert a string field called timestamp with value 1510722000000 in date format field in Logstash. My sole purpose is to visualize data in kibana using this date field. I tried using the date filter but it does not create the target field for me. Can anyone tell me How can I achieve this
My date filter looks like this
date {
timezone => "UTC"
match => ["timestamp", "UNIX_MS"]
target => "#timestamp1"
}

The Date filter used by me is correct. The problem is my input from timestamp is an array of milliseconds from epoch time. Date filter cannot convert an array of values in date field. To parse the values in array we can use Ruby filter.
Take a look on this post Parsing array of epoch time values in Ruby filter
please note it will still not convert into datefield format but just parse the values.

Related

Date filter in logstash: bad results(shows one day back)

I am loading a CSV file into elastic using logstash
This CSV file contains a column 'deadline' which has dates of the format
"deadline": "15-06-2014"
I am using the date filter plugin in logstash to get this in date format into elastic
date {
match => ["deadline","dd-MM-yyyy"]
target => "deadline_date"
}
But in the output I am receiving the date which has moved one day back
"deadline_date": "2014-06-14T18:30:00.000Z"
I have one more instance with format like this "dd-MM-yyyy HH:mm"
date {
match => ["launched","dd-MM-yyyy HH:mm"]
target => "launched_date"
}
Gives result with time changed
"launched": "09-09-2013 18:19"
"launched_date": "2013-09-09T12:49:00.000Z"
Please help me figure out this issue.
You're missing your timezone:
date {
match => ["deadline","dd-MM-yyyy"]
target => "deadline_date"
timezone => "Etc/GMT"
}

date format convertion in logstash elk stack

I have a date column in my table that I fetch using jdbc input in logstash. The problem is logstash gives a wrong value to elasticsearch stack.
For example if I have a date start_date="2018-03-01" in elasticsearch I would get the value "2018-02-28 23:00:00.000".
What I want is to keep the format of start_date or at least output the value "2018-03-01 00:00:00.000" to elasticsearch.
I tried to use this filter :
date {
timezone => "UTC"
match => ["start_date" , "ISO8601", "yyyy-MM-dd HH:mm:ss"]
}
but it didn't work.
It is because, you are trying to convert it to UTC timezone. You need to change your configuration like this:
date {
match => ["start_date" , "yyyy-MM-dd"]
}
This would be enough to parse your date.
Let me know if that works.

Search text in String field or Date field

I a new in Elasticsearch and I have a problem for research. I use Spring data elasticsearch.
I have a single input for research and I would like to search a text in a string field AND in a date field.
In my mapping I have a field "beginDate" of type "date" but when I do the search, for example, "Jon", Elastic return an error "Invalid format" because "Jon" is not a valid format for a date.
I tested with a String field for "beginDate" but the problem is the format. In DB my format is "2018-02-11" and I would like to retrieve with the strings below :
11.02.2018
02.2018
2018
11 02 2018
02 2018
How can I do this ?
Thank you
Basically you want to do string search operations on the date field as well. You can specify the that the date is a text field and not a date field and it has the standard analyzer (the default analyzer, it will tokenize the input and it will remove -, . etc). The only thing you have to do is to stringify your date before indexing that value in elasticsearch.

How to add new timestamp field on logstash?

I'm parsing a log that have previously loaded in my localhost and I would like to get the event date field in each row as a timestamp, but kibana only can gets it as a string.
Example:
I have this event
2016/09/27 13:33:49.701 GMT(09/27 15:33:49 +0200) INFO BILLINGGW ConvergysDelegate.getCustomer(): Calling getCustomerFromCache: 0001:606523
It was loaded on September 27th 2016, 16:04:53.222, but the logdate field (the event date) is: 2016/09/27 13:33:49.701.
On logstash filter I defined:
(?<logdate>%{NUMBER:year}/%{NUMBER:month}/%{NUMBER:day} %{HOUR:hday}:%{MINUTE:min}:%{SECOND:sec}) %{GREEDYDATA:result}
I also proved with:
(?<logdate>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} %{HOUR:hday}:%{MINUTE:min}:%{SECOND:sec}) %{GREEDYDATA:result}
And kibana reads logdate like string. How can I get that kibana could read it as timestamp?
I proved only with the date:
(?<logdate>%{NUMBER:year}/%{NUMBER:month}/%{NUMBER:day})
and Kibana interpreted it properly like timestamp, but the problem is how to add correctly the hours, minutes and seconds to the logdate field.
Could anyone help me?
Best regards.
You'll have to convert from a string to a timestamp, using the date filter.
date {
match => [ "logdate", "yyyy/MM/dd HH:mm:ss"]
}
This will attempt to parse the logdate field with this date pattern yyyy/MM/dd HH:mm:ss and, if successful, will replace the #timestamp field with the result. You can specify another field for the parsed date with the target option.

How to set time in log as main #timestamp in elasticsearch

Im using logstash to index some old log files in my elastic DB.
i need kibana/elastic to set the timestamp from within the logfile as the main #timestamp.
Im using grok filter in the following way:
%{TIMESTAMP_ISO8601:#timestamp}
yet elasticsearch sets the time of indexing as the main #timestamp and not the timestamp written in the log line.
Any idea what am i doing wrong here?
Thanks
Use the date filter to set the #timestamp field. Extract the timestamp in whatever format it's in into a separate (temporary) field, e.g. timestamp, and feed it to the date filter. In your case you'll most likely be able to use the special ISO8601 timestamp format token.
filter {
date {
match => ["timestamp", "ISO8601"]
remove_field => ["timestamp"]
}
}

Resources