Hi All,
i have two date types:
"2020-02-12 09:37:19,334" and "2020Feb07-10:42:22", I'd like to import a unique format into kibana.
Currently I worked on the second one, using grok I was able to read "2020Feb07-10:42:22" with:
%{YEAR}%{DATA}%{MONTHDAY}-%{TIME}
The problem is that I'd like to read "%{DATA}" as "%{MONTH}, but if I use MONTH grok doesn't see Feb as the second Month.
Please help.
Hi Luigi,
I don't know if you can make a mapping month_in_letters -> month_as_num directly in the Grok filter. Though, if you want to make the second date type similar to the first one, you can always use a ruby filter to assemble it and then remove the useless fields with a remove_field filter. Supposing your grok is %{YEAR:year}%{DATA:month}%{MONTHDAY:day}-%{TIME:time}, then you can make a filter similar to the following:
ruby {
code => "
year = event.get('year')
month = event.get('month')[0..2].capitalize
day = event.get('day')
time = event.get('time')
month_to_num = { 'Jan': '01', 'Feb':'02', 'Mar':'03', 'Apr':'04', 'May':'05', 'Jun':'06', 'Jul':'07', 'Aug':'08', 'Sep': '09', 'Oct':'10', 'Nov':'11', 'Dec':'12' }
unless [year, month, date, time].include? nil
new_date = year + '-' + month_to_num[month] + '-' + day + ' ' + time
event.set('new_timestamp', new_date)
end
"
mutate {
remove_field => ["year", "month", "day", "time"]
}
}
It's not the most elegant way but it should fit your needs 
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.