Grok Custom Timestamp Filter

Ghassan_Zein · October 3, 2019, 9:55am

Am not able to filter the following date through grok, it doesnt fall under any ready made TIMESTAMP filters:

07 Aug 2019 13:54:27.463

I want to retrive it and replace it with @timestamp (or create a "Date" variable and add it there)

Thanks

ben.west · October 3, 2019, 10:52am

Hi,

You can use the Date Filter to create arbitrary (and multiple) patterns for handling date/time stamps.

Ghassan_Zein · October 3, 2019, 10:55am

@ben.west I know about the Date Filter but am not able to find the right syntax to fit with my need. Can you please advise?

ben.west · October 3, 2019, 11:01am

This should work: dd MMM yyyy HH:mm:ss.SSS

Ghassan_Zein · October 3, 2019, 11:04am

how would the whole config be in this case? like this?

date {
     match => [ "Date", "dd MMM yyyy HH:mm:ss.SSS" ]
     target => "Date"
    }

ben.west · October 3, 2019, 12:24pm

Yes that should work. You mentioned in your original post you wanted to update the @timestamp field of the event so you can omit the target to do this automatically.

system · October 31, 2019, 12:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.