Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Logstash to convert epoch timestamp

Tags:

logstash

kibana

I'm trying to parse some epoch timestamps to be something more readable.

I looked around for how to parse them into a normal time, and from what I understand all I should have to do is something like this:

mutate
{
    remove_field => [ "..."]
}

grok
{
    match => { 'message' => '%{NUMBER:time}%{SPACE}%{NUMBER:time2}...' }
}

date
{
    match => [ "time","UNIX" ]
}

An example of a message is: 1410811884.84 1406931111.00 .... The first two values should be UNIX time values.

My grok works, because all of the fields show in Kibana with the expected values, and all the values fields I've removed aren't there so the mutate works too. The date section seems to do nothing.

From what I understand the match => [ "time","UNIX" ] should do what I want (Change the value of time to be a proper date format, and have it show on kibana as a field.) . So apparently I'm not understanding it.

like image 609
Swikrit Avatar asked Dec 18 '15 01:12

Swikrit

Video Answer

2 Answers

The date{} filter replaces the value of @timestamp with the data provided, so you should see @timestamp with the same value as the [time] field. This is typically useful since there's some delay in the propagation, processing, and storing of the logs, so using the event's own time is preferred.

Since you have more than one date field, you'll want to use the 'target' parameter of the date filter to specify the destination of the parsed date, e.g.:

date {
    match => [ "time","UNIX" ]
    target => "myTime"
}

This would convert the string field named [time] into a date field named [myTime]. Kibana knows how to display date fields, and you can customize that in the kibana settings.

Since you probably don't need both a string a date version of the same data, you can remove the string version as part of the conversion:

date {
    match => [ "time","UNIX" ]
    target => "myTime"
    remove_field => [ "time" ]
}
like image 106
Alain Collins Avatar answered Sep 20 '22 09:09

Alain Collins

Consider also trying with UNIX_MS for milliseconds.

date {
    timezone => "UTC"
    match => ["timestamp", "UNIX_MS"]
    target => "@timestamp"
}
like image 20
rcf Avatar answered Sep 22 '22 09:09

rcf
Sign in to Comment

Related questions

Logstash Grok filter for uwsgi logs
Changing the default analyzer in ElasticSearch or LogStash
Is there any Python implementation of logstash's grok functionality?
Why do people ship logs to Logstash with NXLog and not Logstash itself?
How to find fields with mapping conflicts
How can I have logstash drop all events that do not match a group of regular expressions?
Error: Expected one of #, input, filter, output at line 24, column 1 (byte 528) after "}
Logback.groovy LogstashEncoder altering field names
logstash: how to include input file line number
Parse logs containing python tracebacks using logstash
How to send celery all logs to a custom handler . in my case python-logstash handler
Feeding logstash from azure web app. How?
Logging to logstash from python
How to remove all fields with NULL value in Logstash filter
Kibana time delta between two fields
Logstash with Kafka: Unable to decode avro
LogStash: How to make a copy of the @timestamp field while maintaining the same time format?
Logstash replace @timestamp with syslog date
Grok pattern for data separated by pipe
Elasticsearch index much larger than the actual size of the logs it indexed?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!