Grok patter to remove trailing milliseconds

newmember · August 17, 2021, 8:24am

Two record formats that start a multiline event, what grok statement might I use to keep the milliseconds and set the time as the @timestamp field? Maybe I have to drop the milliseconds?

Thank you

23:29:53.425: Sending [0,UDP] 467 bytes to 10.80.131.7:5060 >>>>>
@23:29:53.425: Sending [0,UDP] 467 bytes to 10.80.131.7:5060 >>>>>

I have been all over the map trying different regex and grok ideas:
^(@)?(?[^:]):(?[^:]):(?[^.]*)
(?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
TIMESTAMP_ISO8601
etc

matw · August 19, 2021, 6:16am

Where are you using those grok patterns (Logstash)? Because we've got a nice channel for that

newmember · August 19, 2021, 1:14pm

In kabana.

system · September 16, 2021, 1:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.