Hi,
I have this sentence, The deployment started 3/19/2019 at 2:05 as a "message" to logstash
How do I capture the date and time in the above sentence? Also, how should I check to allow this sentence to be parsed and other sentences be ignored. I was thinking something on the lines of:
if [message] =~ /^The deployment started/ {
ruby{
<some code here to parse date and time>
}
}
Any help here is appreciated. Thanks.
Why not a grok or dissect filter?
Hey David,
Can you give an example? Would be really helpful.
Thanks.
A dissect would be as simple as
dissect { mapping => { "message" => "The deployment started %{date} at %{time}" } }This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.