Hello,
I am trying to extract the time stamp from the header of log data. Here is my log data looks like:
Page: 1 Active Internet connections Report: Total ( 223) Time: Mon Mar 17 00:14:32 EST 2014
Proto |RefCnt |Type |State
unix |3 |STREAM |CONNECTED
unix |3 |STREAM |CONNECTED
unix |3 |STREAM |CONNECTED
unix |3 |STREAM |CONNECTED
unix |3 |STREAM |CONNECTED
unix |3 |STREAM |CONNECTED
unix |3 |STREAM |CONNECTED
unix |3 |STREAM |CONNECTED
unix |2 |DGRAM |
As an output i only need time field [Time: Mon Mar 17 00:14:32 EST 2014] from header and to extract metrics i can use grok filter. Any ideas would be helpful
You mean you want to pick up the timestamp from the header line and apply that timestamp to all subsequent events? I don't believe there's a Logstash plugin that helps you with this.
I need a time stamp from the header and would like to process the subsequent events with that time stamp.
The Time field from header [Time: Mon Mar 17 00:14:32 EST 2014] should replace the "@timestamp" field, and all the subsequent events under the header should have the same @timestamp while processing the event.
For ex, the output should look like :
"@timestamp" => "2014-03-17T12:14:32:000Z"
"proto" => "unix"
"RefCnt" => "3"
"Type" => "STREAM"
"State" => "CONNECTED" [and then for the second event also it should have the same @timestamp]
"@timestamp" => "2014-03-17T12:14:32:000Z"
"proto" => "unix"
"RefCnt" => "2"
"Type" => "DGRAM"
Right. Then my previous answer stands; there's no standard plugin to help out with this.