Skip to content

[servicenow] Add Parsing for ECS Timestamp Field #16884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mohitjha-elastic wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[servicenow] Add Parsing for ECS Timestamp Field #16884

mohitjha-elastic wants to merge 2 commits into from
+44 −4

Conversation

@mohitjha-elastic
Copy link
Collaborator

@mohitjha-elastic mohitjha-elastic commented Jan 6, 2026

Proposed commit message

servicenow: Add explicit date parsing for ECS @timestamp field.

Added explicit date parsing logic for the ECS @timestamp field to ensure consistent and accurate
timestamp handling during ingestion. Additionally, this ensures that the timestamp is explicitly parsed 
even when other date fields are not parsed, helping to avoid potential ingestion errors.

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

How to test this PR locally

  • Clone integrations repo.
  • Install the elastic package locally.
  • Start the elastic stack using the elastic package.
  • Move to integrations/packages/servicenow directory.
  • Run the following command to run tests.

elastic-package test -v

Related Issues

@mohitjha-elastic mohitjha-elastic self-assigned this Jan 6, 2026
@mohitjha-elastic mohitjha-elastic requested a review from a team as a code owner January 6, 2026 09:51
@mohitjha-elastic mohitjha-elastic added bugfix Pull request that fixes a bug issue Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Integration:servicenow ServiceNow Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors] labels Jan 6, 2026
@elasticmachine
Copy link

elasticmachine commented Jan 6, 2026

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)

@elastic-vault-github-plugin-prod
Copy link

elastic-vault-github-plugin-prod bot commented Jan 6, 2026

🚀 Benchmarks report

To see the full report comment with /test benchmark fullreport

@elasticmachine
Copy link

elasticmachine commented Jan 6, 2026

💚 Build Succeeded

cc @mohitjha-elastic

ShourieG
ShourieG reviewed Jan 8, 2026
View reviewed changes
packages/servicenow/data_stream/event/elasticsearch/ingest_pipeline/default.yml
Comment on lines +3347 to +3369
- yyyy-MM-dd H:mm:ss
- yyyy-MM-dd HH:mm:ss
- yyyy-MM-dd
- MM-dd-yyyy H:mm:ss
- MM-dd-yyyy HH:mm:ss
- MM-dd-yyyy
- dd-MM-yyyy H:mm:ss
- dd-MM-yyyy HH:mm:ss
- dd-MM-yyyy
- MM/dd/yyyy H:mm:ss
- MM/dd/yyyy HH:mm:ss
- MM/dd/yyyy
- dd/MM/yyyy H:mm:ss
- dd/MM/yyyy HH:mm:ss
- dd/MM/yyyy
- MM/dd/yy H:mm:ss
- MM/dd/yy HH:mm:ss
- MM/dd/yy
- dd.MM.yyyy H:mm:ss
- dd.MM.yyyy HH:mm:ss
- dd.MM.yyyy
- yyyy-MM-dd hh:mm:ss a
- ISO8601
Copy link
Contributor

@ShourieG ShourieG Jan 8, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My concern here is with formats like

  • MM-dd-yyyy
  • dd-MM-yyyy

as these are ambiguous from a global timestamp perspective. In india it's common trend to use dd-MM-yyyy or dd/MM/yyyy or dd.MM.yyyy. But in many places we use mm-dd-yyyy and etc.

How do we distinguish if the date 01-02-2026 or 05-07-2026 is in MM-dd-yyyy format or dd-MM-yyyy format ? Do we expect '@timestamp' to be normalised in any way ? If not how can we decide upon the right order of execution here ? If '@timestamp' is normalised as month-day-year, why have support for both patterns ?

Copy link
Contributor

@efd6 efd6 Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. This is a LOCALE issue and should be configurable if it is necessary to handle different formats. Given that the servicenow data sources are essentially a free-for-all, we cannot safely determine which to use without being told by the user during configuration.

But in many places we use mm-dd-yyyy

Depending on the scope of "place"; this ordering is a US localisation.

Copy link
Collaborator Author

@mohitjha-elastic mohitjha-elastic Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The issue exists across the entire integration. All date processors currently support both MM-dd-yyyy and dd-MM-yyyy formats, while the preference is consistently set to MM-dd-yyyy across all processors.

I believe this is a separate concern, and we could open a new ticket to make the date format user-configurable instead of supporting multiple formats by default. Please let me know your thoughts, or if you think this should be addressed as part of the current PR.

Copy link
Contributor

@efd6 efd6 Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's reasonable to use this given that the pattern is already widespread. We should fix this in a follow-up though since currently dd-MM-yyyy dates in the source data are being incorrectly parsed when dd is not greater than 12. The problem is that currently the effective default LOCALE is for the US format, so we would need to maintain that, and non-US formats would be required to turn on their LOCALE preference to ensure that timestamps are parsed when they are not in dd ≤ 12. This would be a breaking change, unless we make it relaxed rather than strict (we keep both orders, but the configuration changes the order of appearance in the formats list).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@efd6 efd6 efd6 left review comments

@ShourieG ShourieG ShourieG left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@mohitjha-elastic mohitjha-elastic

Labels

bugfix Pull request that fixes a bug issue Integration:servicenow ServiceNow Team:Security-Service Integrations Security Service Integrations team [elastic/security-service-integrations] Team:Sit-Crest Crest developers on the Security Integrations team [elastic/sit-crest-contractors]

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[ServiceNow]: @timestamp field isn't being formatted and causing a "date_time_parse_exception"

4 participants

@mohitjha-elastic @elasticmachine @efd6 @ShourieG