How to add new timestamp field on logstash?

Question

I'm parsing a log that have previously loaded in my localhost and I would like to get the event date field in each row as a timestamp, but kibana only can gets it as a string.

Example: I have this event

2016/09/27 13:33:49.701 GMT(09/27 15:33:49 +0200) INFO       BILLINGGW  ConvergysDelegate.getCustomer(): Calling getCustomerFromCache: 0001:606523

It was loaded on September 27th 2016, 16:04:53.222 , but the logdate field (the event date) is: 2016/09/27 13:33:49.701 .

On logstash filter I defined:

(?<logdate>%{NUMBER:year}/%{NUMBER:month}/%{NUMBER:day} %{HOUR:hday}:%{MINUTE:min}:%{SECOND:sec}) %{GREEDYDATA:result}

I also proved with:

(?<logdate>%{YEAR:year}/%{MONTHNUM:month}/%{MONTHDAY:day} %{HOUR:hday}:%{MINUTE:min}:%{SECOND:sec}) %{GREEDYDATA:result}

And kibana reads logdate like string. How can I get that kibana could read it as timestamp?

I proved only with the date:

(?<logdate>%{NUMBER:year}/%{NUMBER:month}/%{NUMBER:day})

and Kibana interpreted it properly like timestamp, but the problem is how to add correctly the hours, minutes and seconds to the logdate field.

Could anyone help me?

Best regards.

Answer 1

You'll have to convert from a string to a timestamp, using the date filter .

date {
  match => [ "logdate", "yyyy/MM/dd HH:mm:ss"]
}

This will attempt to parse the logdate field with this date pattern yyyy/MM/dd HH:mm:ss and, if successful, will replace the @timestamp field with the result. You can specify another field for the parsed date with the target option.