I have logs that I am parsing and the date does not contain the year which should be default current year.
The field that I get after grok etc is 06/25 11:33:19.9 PM and 06/25 11:33:19.9 PM etc
I am trying to use the date filter to change these to a date field type before sending to elastic search. I am using the date filter below
date {
match => ["timestamp", "MM/dd HH:mm:ss:S a"]
target => "timestamp"
}
But I am getting a dateparsefailure. I'm i missing something?
"MM/dd HH:mm:ss:S a" should be "MM/dd HH:mm:ss.S a"
Since your timestamp has AM/PM in it, instead of HH (hour of the day -- 0-23) you probably want K (0-11) or h (1-12).
If your dates do not have a year in them then logstash will guess, and sometimes it will guess wrong. See the date filter issues on github -- 137, 100, and the long discussion of 51.