Logstash change time format

Question

My log statement looks like this.

2014-04-23 06:40:29 INFO [1605853264] [ModuleName] - [ModuleName] - Blah blah

I am able to parse it fine and it gets logged to ES correctly with following ES field

"LogTimestamp": "2014-04-23T13:40:29.000Z"

But my requirement is to log this statement as following, note 'z' is dropped with +0000. I tried replace, gsub but none changes the output.

"LogTimestamp": "2014-04-23T13:40:29.000+0000"

Can somebody help?

Here is my pattern

TEMP_TIMESTAMP %{YEAR}-%{MONTHNUM}-%{MONTHDAY}\s%{HOUR}:%{MINUTE}:%{SECOND} TEMP_LOG %{TEMP_TIMESTAMP:logdate}\s*?%{LOGLEVEL:TempLogLevel}\s*?\[\s?*%{BASE10NUM:TempThreadId}\]%{GREEDYDATA}

This is the filter config:

grok{
   patterns_dir => ["patterns"]
   match=> ["message", "%{TEMP_LOG}"]            
}

date{
   match => [ "logdate", "yyyy-MM-dd HH:mm:ss" ]            
   target => "LogTimestamp"
   timezone => "PST8PDT"            
}

mutate {
    gsub => ["logdate", ".000Z", ".000+0000"]
}

I haven't quite understood meaning of fields in logstash and how they map to elastic search, that confusion is making me go wrong in this case.

Answer 1

You can use ruby plugin to do what you want!

As your requirement, you want to change this

"LogTimestamp": "2014-04-23T13:40:29.000Z"

to

"LogTimestamp": "2014-04-23T13:40:29.000+0000"

Try to use this filter

filter {
    ruby {
        code => "
                event['LogTimestamp'] = event['LogTimestamp'].localtime('+00:00')
        "
    }
}

Hope this can help you.