Convert date

Elastic Stack Logstash
1

I want to convert data 1,data 3, data 4 and data 5 to date but the log is ex:

NormalTransac#0112019 Apr 29 13:30:49 -03:00#0112019/04/29 13:30:49 -03:00#0112019 
Apr 29 13:30:49 -03:00#0111689530397.4535.1556555444285@tjsc.jus.br#011569E3FA2- 
87AD-CE05-831F- 70151F8DA94E#0111DC752C6A1#0112#011esaj@tjsc.jus.br#011jonathan@loboadvogados.com#011Protocolo Eletrônico e-Saj - Petição Intermediária Protocolada (0315551-57.2018.8.24.0038 - WJVE.19.10090057-5)#011svmnt-beexc-02.tjsc.ad[10.18.12.79]#011mx.b.locaweb.com.br[177.153.23.242]:25#011250 2.0.0 Ok: queued as 44t9Bd4X2zz3Q#011sent#01100100000000000000#0110#011#0112019 Apr 29 13:30:49 -03:00#0112019 Apr 29 13:30:49 -03:00#011#0113#011

The date is fomat like this : 2019 May 15 13:50:59 -03:00

input 
{
udp 
{
	port => 5141 
	type  => "syslog"
	tags  => ["imsva"] 
	codec => plain { charset=>"UTF-8" }

}
}filter
{
if "imsva" in [tags]
{
	csv 
	{
		source => "message"
        columns => 
		[ 
			"transacao","data1","data2","data3","campo5","id","id2","campo8","remetente",
			"destinatario","assunto","host_origen","host_destino","resposta_server",
			"status","campo16","campo17","campo18","data4","data5","campo21","campo22","anexo"
        ]
		separator => "#011"
    }date {
			match => [ "data1", "yyy MMM dd HH:mm:ss" ]
			match => [ "data3", "yyy MMM dd HH:mm:ss" ]
			match => [ "data4", "yyy MMM dd HH:mm:ss" ]
			match => [ "data5", "yyy MMM dd HH:mm:ss" ]
		 } 
#       mutate 
#		{
#			convert => [ "transacao", "string" ]
#			convert => [ "id", "string" ]
#			convert => [ "campo5","string"]
#			convert => [ "id2","string"]
#			convert => [ "campo8","string"]
#			convert => [ "remetente","string"]
#			convert => [ "destinatario","string"]
#			convert => [ "assunto","string"]
#			convert => [ "host_origen","string"]
#			convert => [ "host_destino","string"]
#			convert => [ "resposta_server","string"]
#			convert => [ "status","string" ]
#			convert => [ "campo16","string" ]
#			convert => [ "campo17","string" ]
#			convert => [ "campo18","string" ]
#			convert => [ "campo21","string" ]
#			convert => [ "campo22","string" ]
#			convert => [ "anexo", "string" ]
#		}

    if "tjsc.jus.br" in [destinatario] 
	{		
		mutate 
		{
			add_field=>{"message_direction" => "incoming"}
		}
    }
    else{
			mutate
            {
				add_field=>{"message_direction" => "outgoing"}
            }
		} 
			
	mutate 
	{
		remove_field => [ "message" ]
	}
}

}

2

I think you have to do assign this back to data1 once to match it
date {
match => [ "data1", "yyy MMM dd HH:mm:ss" ]
target => "data1"
}

3

looks like it's working
Thx men

4

That is good hear, Schneider please visit often and share experience

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.