Date filter

This plugin is used for parsing the dates from the fields. This plugin is very handy and useful when working with time series events. By default, Logstash adds a @timestamp field for each event, representing the time it processed the event. But the user might be interested in the actual timestamp of the generated event rather than the processed timestamp. So, by using this filter, you can parse the date/timestamp from the fields and then use it as the timestamp of the event.

We can use the plugin like so:

filter {
    date {
    match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
         }
}

By default, the date filter overwrites the @timestamp field, but this can be changed by providing an explicit target field, as shown in the following code snippet. Thus, the user can keep the event time processed by Logstash, too:

filter {
    date {
    match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
    target => "event_timestamp"
         }
}

By default, the timezone will be the server local time, unless specified otherwise. To manually specify the timezone, use the timezone parameter/setting of the plugin. Valid timezone values can be found at http://joda-time.sourceforge.net/timezones.html.

If the time field has multiple possible time formats, then those can be specified as an array of values to the match parameter:

match => [ "eventdate", "dd/MMM/YYYY:HH:mm:ss Z", "MMM dd yyyy HH:mm:ss","MMM d yyyy HH:mm:ss", "ISO8601" ]

Table of Contents for Date filter

Create new playlist

Sign In

Sign Up

Table of Contents for
Date filter