Develop Reference

Logstash Date filter not working properly

I was trying to filer message to get timestamp and use date filter to convert the string to date but the converted date different as of original.
Filter code:
filter {
grok {
match => [ "message", "%{TIMESTAMP_ISO8601:timestamp} \| %{LOGLEVEL:loglevel} \| %{NOTSPACE:taskid} \| %{NOTSPACE:logger} \| %{WORD:label}( \| %{INT:duration:int})?" ]
}
date {
match => ["timestamp", "YYYY-MM-DD HH:mm:ss,SSS"]
target => "timestamp"
}
}
input
2021-04-19 12:06:39,586 | INFO | 12345 | TASK_START | start
output
"timestamp" => 2021-01-19T06:36:39.586Z,
the hour and minute have changed

logstash and elasticsearch store dates as UTC, and kibana will map that to the browser's timezone. By default a date filter will use the local timezone. So if you are in the Asia/Kolkata timezone, which is +05:30 compared to UTC, this is working exactly as expected. If the timestamp field is in a different timezone then use the timezone option of the date filter to tell it which one.

If timestamps in your logs are not UTC you can provide timezone information.
For example:
date {
match => ["timestamp", "YYYY-MM-DD HH:mm:ss,SSS"]
timezone => "Asia/Kolkata"
target => "#timestamp" // <--- this is optional, #timestamp is default
}

Error parsing date with grok filter in logstash

I need to parse the date and timestamp in the log to show in #timestamp field. I am able to parse timestamp but not date.
Input Log:
"2010-08-18","00:01:55","text"
My Filter:
grok {
match => { "message" => '"(%{DATE})","(%{TIME})","(%{GREEDYDATA:message3})"’}
}
Here DATE throws grokparsefailure.
Also not sure how to update the #timestamp field.
Appreciate your help.

The %{DATE} pattern is not what you want. It's looking for something in M/D/Y, M-D-Y, D-M-Y, or D/M/Y format.
For a file like this, you could consider using the csv filter:
filter {
csv {
columns => ["date","time","message3"]
add_filed => {
"date_time" => "%{date} %{time}"
}
}
date {
match => [ "date_time", "yyyy-MM-dd HH:mm:ss" ]
remove_field => ["date", "time", "date_time" ]
}
}
This will handle the case where message3 has embedded quotes in it that have been escaped.

Filter on a nested date field in logstash

I'm trying to use date filter on a nested date field in json
json snippet:
"_source": {
"QueryResult": {
"Results": [
{
"CreationDate": "2016-12-13T05:37:11.953Z",
filter config:
filter {
date {
match => [ "[QueryResult][Results][CreationDate]", "ISO8601" ]
}
}
It keeps failing with below error:
[2017-01-05T19:40:44,575][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>java.lang.NumberFormatException: For input string: "CreationDate", "backtrace"=>["java.lang.
NumberFormatException.forInputString(java/lang/NumberFormatException.java:65)", "java.lang.Integer.parseInt(java/lang/Integer.java:580)", "java.lang.Integer.parseInt(java/lang/Integer.java:615)", "org.logstash.Accessors.fetch(org/logstash/Accessors.java:130)", "org.logstash.Accessors.get(org/logstas
h/Accessors.java:20)", "org.logstash.Event.getUnconvertedField(org/logstash/Event.java:160)", "org.logstash.Event.getField(org/logstash/Event.java:150)", "org.logstash.filters.DateFilter.executeParsers(org/logstash/filters/DateFilter.java:97)", "org.logstash.filters.DateFilter.receive(org/logstash/f
ilters/DateFilter.java:78)", "java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:497)", "RUBY.multi_filter(/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-date-3.1.1/lib/logstash/filters/date.rb:191)", "RUBY.multi_filter(/usr/share/logstash/logstash-core/lib/logstash/filt
er_delegator.rb:41)", "RUBY.filter_func((eval):42)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:
281)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192)", "or
g.jruby.RubyHash.each(org/jruby/RubyHash.java:1342)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:191)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logsta
sh/util/wrapped_synchronous_queue.rb:191)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294)", "RUBY.worker_loop(/usr/share/logstash/logstash-core/lib/lo
gstash/pipeline.rb:282)", "RUBY.start_workers(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:258)", "java.lang.Thread.run(java/lang/Thread.java:745)"]}
I've been trying to figure this out for few days now, but no luck.
I tried removing the codec: json as suggested # Access nested JSON Field in Logstash and checked the date format as suggested # 0 Parsing a date field in logstash to elastic search and Nested field access in date filter
Based on above post, I tried below filter snippet, but still got the same error:
date {
match => [ "[QueryResult][Results][CreationDate]",
"UNIX",
"UNIX_MS",
"ISO8601",
"timestamp",
"yyyy-MM-dd HH:mm:ss.SSS",
"yyyy-MM-dd HH:mm:ss,SSS",
"yyyy-MM-dd HH:mm:ss",
"yyyy/MM/dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"dd/MMM/yyyy:HH:mm:ss Z",
"yyyy-MM-dd HH:mm:ss.SSSZ",
"yyyy-MM-dd'T'HH:mm:ss.SSSZ",
"yyyy-MM-dd'T'HH:mm:ssZ",
"E MMM dd HH:mm:ss yyyy Z" ]
target => "timestamp"
}
Any help/clue will be appreciated.

How to parse the date using Date Filter

My log message as below
2016-04-04T12:51:01.05-0500 [App/0] OUT [INFO ] SRVE0250I: Web
Module DataWorks has been bound to default_host.
Can someone guide me to write date filter to parse the date in the above message? I also need to convert the date to UTC format after that.

As I can see you are using standard ISO8601 date format. You can use following logstash config:
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:another}"]
}
date {
match => [ "timestamp", "ISO8601" ]
}
}
this will grok your date to timestamp field, and then parse date to UTC to #timestamp field. Read more here:
https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html

Logstash csv filter create index name based on timestamp

I want to create ES index based on the dates matching from the logfile. I am using logstash CSV filter to process the logs. For instance, the log data appears like below
2016-02-21 00:02:32.238,123.abc.com,data
2016-02-22 00:04:40.145,345.abc.com,data
Below is the logstash configuration file. Obviously the index will be created as testlog, however, i want the index to be created as testlog-2016.02.21 and testlog-2016.02.22, given that YYYY.mm.dd is the logstash preferred format for index dates. I have done this with grok filters, and I am trying the achieve the same with csv, but this doesn't seem to work.
filter {
csv {
columns => [ "timestamp", "host", "data" ]
separator => ","
remove_field => ["message"]
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "testlog"
}
}
We are on Logstash 2.1.0, ES 2.1.0 and Kibana 4.3.0 version
Any inputs appreciated

You need to specify the #timestamp field in filter, and you also need to specify your index name as below:
filter {
csv {
columns => [ "timestamp", "host", "data" ]
separator => ","
remove_field => ["message"]
}
date {
match => [ "timestamp", "ISO8601" ] #specify timestamp format
timezone => "UTC" #specify timezone
target => "#timestamp"
}
}
output {
elasticsearch
hosts => ["localhost:9200"]
index => "testlog-%{+YYYY.MM.dd}"
}
}