Hello,
I have problem and need help.
This is my logfile type:
2019-01-28 07:37:25 52.62.158.16 - HTTP 192.168.25.80 443 GET /cpadmin/jquery-ui.min.js - 304 573 197 0 HTTP/1.1 Mozilla/5.0+(Windows+NT+10.0;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+coc_coc_browser/77.0.126+Chrome/71.0.3578.126+Safari/537.36 JSESSIONID=0001EDFQ51w4GbNyiY8zUAlBhee:-1986MV https://google.com/search?q=demo
This is logstash config:
input {
beats {
port => 5044
}
}
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestampx} %{IPV4:c_ip} %{NOTSPACE:cs_username} %{NOTSPACE:s_sitename} %{IPV4:s_ip} %{NUMBER:s_port} %{WORD:method} %{URIPATH:uri_path} %{NOTSPACE:custom_string_01} %{NUMBER:status} %{NUMBER:bytessent} %{NUMBER:bytesrecvd} %{NUMBER:timetaken} %{NOTSPACE:version} %{NOTSPACE:user_agent} %{NOTSPACE:custom_string_02} %{NOTSPACE:referer}"}
}
date {
match => [ "timestampx", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
geoip {
source => "c_ip"
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "logweb-%{+YYYY.MM.dd}"
}
stdout { codec => rubydebug }
}
Output timestampx is string: 2019-01-28 07:37:25 not date type.
I want to replace timestamp by timestampx (timestampx convert from logfile, not use time system - same timestamp).
Thanks for your help.