how to extract date and time from message field into a dedicated field.
this is my .conf file

input {
beats {
port => 5044

    }

}
filter {
if [log_type] == "json" {
mutate {
rename => {
"message" => "raw_data"
}
}
json {
source => "raw_data"
}
date {
match => [ "timestamp", "ISO8601" ]
}
}

    if [fields][log_type] == "nojson" {

         grok   {
                  match => {"message" => ["(?m)%{LOGLEVEL:level}\s*\[%{TIMESTAMP_ISO8601:timestamp}\]\s*\[(?<thread>[\w._.-]+)\]\s*(?<logger>[\w\.\w]+)\s*(?<message>[^{]*)","(?m)%{LOGLEVEL:level}\s*\[%{TIMESTAMP_ISO8601:timestamp}\]\s*\[(?<thread>[\w\-\s./]+)\]\s*%{UUID:requestid}(?<message>[^{]*)"] }

                }
        }

  }

output {

stdout { codec => rubydebug }

    elasticsearch {
            hosts => ["localhost:9160"]
            index => "logstash-api-logs-%{+YYYY-MM-dd}"
            manage_template => false}

#file { path => "/opt/elk_data/devops/devops-%{+YYYY-MM-dd}.log" }
}

please paste 1 sample entry of you data too

DEBUG [2019-09-18 12:40:55,174] [dw-50 - POST /thirdparty/knowlarity/c2cCallInfo] 17975e1d-9e28-4ed2-a420-37e92f5662c8 i.e.a.a.BasicOAuthAuthenticator - {"message":"found user THIRDPARTYSUPPORT_user/KNOWLARITY for credentials secret_96c46e36-235b-4a0e-b977-3cbeb42c292c"}
DEBUG [2019-09-18 12:40:55,174] [dw-50 - POST /thirdparty/knowlarity/c2cCallInfo] 17975e1d-9e28-4ed2-a420-37e92f5662c8 i.e.a.a.EPaylaterAuthorizer - {"message":"calling authorizer for user THIRDPARTYSUPPORT_user/KNOWLARITY and role KNOWLARITY"}

You can try the following pattern for datetime field extraction

grok {
match => { "datetimeinputfield" => "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time}" }
}
mutate {
add_field => [ "dedicated_field","%{year}-%{month}-%{day} %{time}" ]
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.