I have no idea about the replace_timestamp field - i was following some of the other posts here and I don't really understand and I can't find the documentation very thorough for me.
I have no idea If i can use the multiple items i've already grokked to do this?
CSV filter.... ok i'll look that up. Thank you.
New config:
filter {
csv {
separator => ","
columns => ["line","record","date","time","source","site","+/-","event","mode","user","details"]
add_field => { "replace_timestamp" => "%{date} %{time}" }
}
date {
match => ["replace_timestamp", "ddMMMyy kk:mm:ss"]
target => "@timestamp"
}
}
Now the output looks like this:
{
"site" => "328",
"@timestamp" => 2019-08-28T00:37:51.491Z,
"mode" => "Isol",
> "tags" => [
> [0] "_dateparsefailure"
> ],
"message" => "38415,25499,01Jul19,00:04:06,WOL,328,+,LM,Isol,,TEXT",
"replace_timestamp" => "01Jul19 00:04:06",
"+/-" => "+",
"time" => "00:04:06",
"details" => "TEXT",
"line" => "38415",
"user" => nil,
"source" => "WOL",
"event" => "LM",
"@version" => "1",
"host" => "elasticsearch",
"record" => "25499",
"date" => "01Jul19",
"path" => "/home/elasticsearch/eventlogs/sm_WOL_July.csv"
}
Looks like it can create the replace timestamp field now, but can't parse it?
Thank you!