Extract timestamp from filename

Elastic Stack Logstash
1

Hi All,

currently i have filename with the below format
[XXXXXXXX][YYYYYYYYYY][2016_07_21][19_21_12][160721T192103][ZZZZ]AB_RTRT.0.log.
is there a way, i can extract the datetimestamp and index it to a specific field in elastic search.

thanks
Subbu

2

I assume you're getting the filename in the path field. Use a grok filter to extract the timestamp from path into a field of its own.

3

thanks for the direction.

i used the below grok and i can fetch the year, month and date ([2016_07_21][19_21_12])
grok {
match => ["filename", "%{YEAR:year}%{MONTHNUM:month}%{MONTHDAY:day}"]
add_field => ["date", "%{month}/%{day}/%{year} "]
}

but i am not sure how to fetch the hour, mins and secs.

can you please help?

4

Always format regular expressions as code. If you look closely at your post you'll note that it doesn't represent reality. All underscores have disappeared.

Unsurprisingly, capturing a time works the same way as capturing a date. I suggest the following expression for capturing the whole timestamp string (including the square brackets):

(?<timestamp>\[%{YEAR}_%{MONTHNUM}_%{MONTHDAY}\]\[%{HOUR}_%{MINUTE}_%{SECOND}\])

This string can then be fed to the date filter.

5

thanks a lot it works.

i used this in grok,

match => ["filename", "(?[%{YEAR}%{MONTHNUM}%{MONTHDAY}][%{HOUR}%{MINUTE}%{SECOND}])"]

and applied this in a date filter

date{

match => ["temptimestamp", "[yyyy_MM_dd][HH_mm_ss]"]
    target => "filetimestamp"

}

it works fine. thanks a lot.