This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

How can I parse Timestamp?

Posted on 12-27-2023 01:54 AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Hello All,
Please help us parse the endTimeISO, startTimeISO and eventTimeISO from the below log.

"{\"hostName\":\"ManageEngine Endpoint Central 11\",\"module\":\"System Manager\",\"priority\":\"Information\",\"timeDuration\":\"0\",\"application\":\"ManageEngine Endpoint Central 11\",\"computerName\":\"***-***\",\"domainName\":\"****\",\"viewerIp\":\"--\",\"eventTime\":\"1703582047178\",\"userIp\":\"--\",\"startTime\":\"1703582047178\",\"endTime\":\"1703582047178\",\"remarks\":\"****-****-***\",\"userName\":\"--\",\"startTimeISO\":\"2023-12-26T14:44:07.178+05:30\",\"endTimeISO\":\"2023-12-26T14:44:07.178+05:30\",\"eventTimeISO\":\"2023-12-26T14:44:07.178+05:30\"}

Solved Solved
0 5 688
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
lukas-lr
Bronze 4
Bronze 4
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

Hi, the date filter should automatically set the "@timestamp" field, which is then used as the log timestamp in Chronicle

View solution in original post

Jump to Solution
0 Likes
5 REPLIES 5

Posted on --/--/---- --:-- AM
lukas-lr
Bronze 4
Bronze 4
Reply posted on --/--/---- --:-- AM

Hi manoj06,

After extracting the fields from the JSON, you can use one of

 

date {
    match => ["endTimeISO", "yyyy-MM-ddTHH:mm:ss.SSSZZ"]
}
date {
    match => ["startTimeISO", "yyyy-MM-ddTHH:mm:ss.SSSZZ"]
}
date {
    match => ["eventTimeISO", "yyyy-MM-ddTHH:mm:ss.SSSZZ"]
}

 

to parse the date format and use the respective field as timestamp

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
aravind_s12321
Bronze 3
Bronze 3
In response to lukas-lr
Reply posted on --/--/---- --:-- AM

Hello Lukas,

This is showing error.

Error: LOG_PARSING_CBN_ERROR: "generic::internal: pipeline failed: filter date (4) failed: failed to parse date field --"

Thanks,

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
lukas-lr
Bronze 4
Bronze 4
In response to aravind_s12321
Reply posted on --/--/---- --:-- AM

Hi aravind,

Are you sure your date field always contains a valid date? If the format is unstable, you can add more formats to the match array. If it is not always a date, you could check for example with something like

if [date] =~ /\d+-\d+\d+T\d+:\d+\d+\.\d+\+\d+:\d+/

for the format above (just typed this without trying, so there might be errors). Or you just do [date] != "" and [date] != "-"

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
Former Community Member
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,
The above format is working, but we couldn't find the field date getting parsed. The date value is not getting mapped in the statedump.

manoj06_0-1703747199583.png

Can you please let us know how to parse as event time? 

 

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
lukas-lr
Bronze 4
Bronze 4
In response to Former Community Member
Reply posted on --/--/---- --:-- AM

Hi, the date filter should automatically set the "@timestamp" field, which is then used as the log timestamp in Chronicle

Jump to Solution
0 Likes
Top Solution Authors
View all