logstash reformat dates at OUTPUT time

Question

I'm outputting to CSV and I'd like my dates in ISO8601 format, such as 2014-04-02T19:21:36.292Z, but I keep getting dates like Mar 27 2014 17:56:33 in my csv.

I'm fine to create a second intermediate string variable to do the formatting, but it yields the same result.

I see that there's a "sprintf" function in Logstash, but it seems you can do EITHER variable references OR date formats (which I assume will get the current system date time), but I don't think you can do both. I other words, I don't think it lets you apply a date format to an existing date variable, or if it does I'm not sure what the syntax would be.

Plenty of false hits on Google and stack, but all are about parsing.

Ironically stdout happens to output in the format I want, using stdout { debug => true codec => "rubydebug"}. Maybe that could somehow help in my case, not sure? Although other folks might want some other arbitrary format.

Answer 1

Try this one. Add a new "date" field then output to csv.

filter {
   ruby {
        code => '
            require "time"
            event["date"] = Time.parse(event["@timestamp"].to_s).iso8601;
        '
   }
}