Date parsing log without date in it

yammy · February 10, 2016, 8:36pm

I have a log that I need to collect, however it only contains the timestamp at the begining with no date.
Example:
145231.hostname!process1.19022.2799412992.0: msg1 "INFO: msg2"

I am successfully parsing the data with the grok statement below:
Example:
%{HOUR}%{MINUTE}%{SECOND}.%{DATA:my_host}!%{DATA:process}: %{DATA:msg1} %{GREEDYDATA:msg2}

What I am stuck on is how to use the date filter to set the timestamp on the event, using the data from the log entry and the present date. Does anyone have an example?

magnusbaeck · February 11, 2016, 6:53am

I don't remember what the date filter defaults to if you supply a pattern containing just hours and minutes, but you could always use a ruby filter to obtain the current date and assume that the log you're parsing is from today. Or, perhaps you could use the path field (containing the path to the input file) to figure out which day it is.

yammy · February 11, 2016, 1:35pm

Thanks Magnus

Do you know of any similar examples of this? I'm unsure of what it would look like.

magnusbaeck · February 11, 2016, 7:11pm

This should give you a date field with the current date (in the local timezone):

filter {
  ruby {
    code => "
      event['date'] = Time.now.strftime('%Y-%m-%d')
    "
  }
}

system · July 6, 2017, 5:12am