This plugin is used for parsing the dates from the fields. This plugin is very handy and useful when working with time series events. By default, Logstash adds a @timestamp field for each event, representing the time it processed the event. But the user might be interested in the actual timestamp of the generated event rather than the processed timestamp. So, by using this filter, you can parse the date/timestamp from the fields and then use it as the timestamp of the event.
We can use the plugin like so:
filter {
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
}
}
By default, the date filter overwrites the @timestamp field, but this can be changed by providing an explicit target field, as shown in the following code snippet. Thus, the user can keep the event time processed by Logstash, too:
filter {
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
target => "event_timestamp"
}
}
If the time field has multiple possible time formats, then those can be specified as an array of values to the match parameter:
match => [ "eventdate", "dd/MMM/YYYY:HH:mm:ss Z", "MMM dd yyyy HH:mm:ss","MMM d yyyy HH:mm:ss", "ISO8601" ]