Log entry:
SEARCH#Android#SLO#sikmb#BIB#sikmb#02-okt-2017 07:04:00.721#ADV##0#0#0#2#8#((šola AND luči)) NOT (DT=D) NOT RS=D and (DP=08 OR DP=XX) NOT NH=1
filter part from pipeline:
grok {
match => {"message" => "%{DATA:act}\#%{DATA:interface}\#%{DATA:country}\#%{DATA:acronym}\#%{DATA:typeDB}\#%{GREEDYDATA:leftovers}"}
}
if [act] == "CONN" {
drop { }
}
ruby {
code => "event.set('acronym', event.get('acronym').upcase)"
}
mutate{
split => {"leftovers" => "#"}
}
if [act] == "AUTH" {
mutate{
add_field => {
"date" => "%{leftovers[1]}"
"userID" => "%{leftovers[2]}"
}
remove_field => [leftovers]
}
} else if [act] == "DISP" {
mutate{
add_field => {
"date" => "%{leftovers[0]}"
"outputType" => "%{leftovers[1]}"
"userID" => "%{leftovers[2]}"
}
remove_field => [leftovers]
}
} else if [act] == "SEARCH" {
mutate{
# WORKAROUND ŠUMNIKI
add_field => {
"url" => ""
"date" => "%{leftovers[1]}"
"mode" => "%{leftovers[2]}"
"stZadetkov" => "%{leftovers[7]}"
}
merge => {"url" => "leftovers[9]"}
remove_field => [leftovers]
}
} else if [act] == "RESR" or [act] == "PROL" or [act] == "CRES" {
mutate{
add_field => {
"date" => "%{leftovers[1]}"
"userID" => "%{leftovers[2]}"
"serialNum" => "%{leftovers[3]}"
}
remove_field => [leftovers]
}
}
date {
locale => "sl-SI"
match => ["date", "dd-MMM-YYYY HH:mm:ss.SSS"]
timezone => "Europe/Ljubljana"
target => "date"
}
mutate{
join => {"url" => ""}
add_field => {"inputType" => "MCOBISS"}
}
My problem is, that my date 02-okt-2017 07:04:00.721 is written with using Slovenian locale
http://www.localeplanet.com/java/sl-SI/index.html
I've tried in the locale setting both option sl and sl_SI.
Is there any option to process this or should I just do a gsub and just replace them?