Datestamp to timestamp

merlock · July 16, 2020, 9:06pm

hello all, i have the next format of log

06/17/2020 00:00:00 - 1.6.250.107 o00044696e20022001200940005

my filter

match => { "message" => ".%{DATESTAMP:LOGTIME}.-.*%{IP}.*w(?.{10})(?<Service_ID>.{5})(?.{3})(?<TIME_HARVEST>.{4})(?<IDLE_HARVEST>.{4})(?.{0,36})" }

Inglés

but I try to change to timestamp but it doesn't work for me

mutate {
add_field => [ "LOGTIME", "%{YEAR} %{MONTH} %{MONTHDAY} %{TIME}" ]
}

date {
	match => ["LOGTIME", "yyyy MMM dd HH:mm:ss", "ISO8601"]
	remove_field => ["LOGTIME"]
}

imagen

merlock · July 16, 2020, 9:55pm

I solved it with various date options

 if [type] == "harvest" {
    grok {
      match => { "message" => ".*(?<TIMESTAMP_ISO8601:timestamp>%{MONTHNUM}/%{MONTHDAY}/%{YEAR} %{TIME}).*-.*%{IP}.*w(?<MAC>.{10})(?<Service_ID>.{5})(?<NCANAL>.{3})(?<TIME_HARVEST>.{4})(?<IDLE_HARVEST>.{4})(?<PROGRAMACION>.{0,36})" }	 
	}
	grok {
	  match => { "message" => ".*(?<TIMESTAMP_ISO8601:timestamp>%{MONTHNUM}/%{MONTHDAY}/%{YEAR} %{TIME}).*-.*%{IP}.*W(?<MAC>.{10})(?<Service_ID>.{5})(?<NCANAL>.{3})(?<TIME_HARVEST>.{4})(?<IDLE_HARVEST>.{4})(?<PROGRAMACION>.{0,36})"	}	
	}
	date {
		match => [ "timestamp", "ISO8601", "MM/dd/yyyy HH:mm:ss","EEE MMM d HH:mm:ss YYYY", "yyyy-MM-dd HH:mm:ss.SSS", "yyyy/mm/dd/HH/mm/ss.SSS", "MMM  d HH:mm:ss.SSS", "MMM dd HH:mm:ss.SSS" , "yyyy-MM-dd HH:mm:ss.SSS", "MMM dd HH:mm:ss,SSS", "yyyy-MM-dd HH:mm:ss,SSS", "yy-MM-dd HH:mm:ss.SSS", "yyyy-MM-dd HH:mm:ss" ]
		target => "@timestamp"
		timezone => [ "UTC" ]
		remove_field => [ "timestamp" ]
	}

warkolm · July 16, 2020, 11:12pm

Welcome to our community!

Thanks for sharing your solution as well.

system · August 13, 2020, 11:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.