Hi,
I have two different logfiles.
Construction of the first one:
19.03.18-13:56:06
TabellenName -A 12 -D 323
TabellenName -A 329 -D 323
TabellenName -A 12 -D 12,3
TabellenName -A 12 -D 323
19.03.18-13:57:44
Construction of the second one:
Message Successfully
03/19/18 15:45:23
logstash.conf has the following structure for the first file:
if [fields][LogEvent] == "Tabelle" {
mutate {gsub => ["message", "[,]", ""]}
grok {
match => {"message" => "%{GREEDYDATA:Tabelle} -A%{NUMBER:KorrespondezA}: \s* %{GREEDYDATA:DatensaetzeA:int} -D%{NUMBER:KorrespondezD}: \s* %{GREEDYDATA:DatensaetzeD:int}"}
remove_field => ["message"]
}
grok {
match => {"message" => "%{DATE:Datum}-%{TIME:Uhrzeit}"}
add_field => {"timestamp" => "%{Datum} %{Uhrzeit}"}
remove_field => ["Datum", "Uhrzeit", "message"}
}
date {
match => ["timestamp", "dd.MM.yy HH:mm:ss"]
target => ["@timestamp"]
remove_field => ["timestamp"]
}
mutate {gsub => ["Tabelle", "[.]", ""]}
if "_grokparsefailure" in [tags] {
drop {}
}
}
The logstash.conf has the following structure for the second file:
if [fields][LogEvent] == "delete_create" {
if "Creation Time" in [message] {
grok {
match => {"message" => "%{DATE:Datum} %{TIME:Uhrzeit}"}
add_field => {"timestamp" => "%{Datum} %{Uhrzeit}"}
remove_field => ["Datum", "Uhrzeit", "message"]
}
date {
match => ["timestamp", "MM/dd/yy HH:mm:ss"]
target => ["@timestamp"]
remove_field => ["timestamp"]
}
}
if "Successfully" in [message] {
grok {
match => {"message" => "%{WORD:Status}"}
remove_field => ["message"]
}
}
mutate {add_field => {"newmessage" => "%{timestamp} %{Status}"}}
So the problem I have is to write the timestamp before the Message.
Example for the second file:
03/19/18 15:45:23 Successfully
After that I want a grok filter to parse the newmessage field. So that the message line in the Logfile will be set to the timestamp where the logfile had been created and not "today/now" where it has been read into the ELK-Stack.