Hello, I am trying to do the following:
If the field mymessage contains My string, create another field called seconds and put there the bolded value of my timestamp - November 15th 2015, 08:42:29.779. In other words I would like this to result in seconds=29.779 which is taken from the timestamp of the event, but unfortunately this puts value of %{SECOND}
if [mymessage] =~ /^My string/ {
mutate {
add_field => [ "seconds", "%{SECOND}" ]
}
.....
}
What am I doing wrong?
I think you might be conflating grok patterns and fields. You get "%{SECOND}" because the messages doesn't have a field named SECOND.
Use a grok filter to extract the seconds from the @timestamp field. Untested:
grok {
match => ["@timestamp", ":%{SECOND:seconds}Z"]
}how can i extract hours , minute and also weekday from timestamp..
You just have to find the pattern you want to use in grok, see here for available patterns :
https://github.com/elastic/logstash/blob/v1.4.2/patterns/grok-patterns
thank you so much for such a soon reply...
i did manage to get the the hours , minute , sec from the timestamp..
But is there any possibility of geeting week day from the timestamp..
for example this is my timestamp "11/May/2016:05:00:00 +0530"
how can i achieve the weekday from this ..
like
weekday:wednesday
thank you
I don't think there's a plugin that'll do this for you, but you can definitely write some Ruby code and put in a ruby filter.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.