Grok Date and time format

Jpuch · April 8, 2016, 1:57pm

Hello,

i have this king of log :
Aug 14 00:00:01 10.33.2.254 date=2015-08-14,time=00: 03:01, ...

I'm not interrested in the first date and time (Aug 14 00:00:01) but by the second one : ( date=2015-08-14 and time=00: 03:01)

my first problem was the " " in this time field.

i removed it with :

filter {
  mutate {
    gsub => [
      "time", " ", ""
    ]
  }
}

now, i would like to merge date and time as a an unique date field and not as a string, so it can be usable in kibana.

thanks for reading

warkolm · April 9, 2016, 7:20am

https://www.elastic.co/guide/en/logstash/current/plugins-filters-mutate.html#plugins-filters-mutate-merge maybe?

Jpuch · April 11, 2016, 1:40pm

Hi,

I tried this :

filter{
  mutate {
    gsub => [
      "time", " ", ""
    ]
  merge  => ["date", "%{date} %{time}"]
  }
  date {
    match => [ "date" , "yyyy-MM-dd HH:mm:ss" ]
    locale => "en"
  }
}

but in my date field i still have the space in my time field :

but when i look only at my time field the space isn't there :

How can i precise to grok that i want to take the time field without the space in.

Thanks

Christian_Dahlqvist · April 11, 2016, 1:45pm

Commands within a mutate block can be executed in any order, so try defining two mutate blocks, the first with the gsub and the second with the merge.

Alex_6 · April 11, 2016, 3:58pm

I'm being slightly off-topic, you're saying that order isn't guaranteed in a single mutate block? Uh oh... I have some changes to make now...