Grok TIMESTAMP_ISO8601 doesnot capture TZ

pfseth · March 6, 2018, 6:17pm

How can i parse TZ using grok

2018-03-05 21:29:31 -0500,188c3263-2519-4a8d-825c-4605c53b720e

TIMESTAMP_ISO8601 does not capture -0500

Grok Debugger ...

{
  "TIMESTAMP_ISO8601": [
    [
      "2018-03-05 21:29:31"
    ]
  ],
  "YEAR": [
    [
      "2018"
    ]
  ],
  "MONTHNUM": [
    [
      "03"
    ]
  ],
  "MONTHDAY": [
    [
      "05"
    ]
  ],
  "HOUR": [
    [
      "21",
      null
    ]
  ],
  "MINUTE": [
    [
      "29",
      null
    ]
  ],
  "SECOND": [
    [
      "31"
    ]
  ],
  "ISO8601_TIMEZONE": [
    [
      null
    ]
  ]
}

pfseth · March 6, 2018, 9:06pm

Is this efficient way to match ?

(?<timestamp>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} [+-]*\d{4})\,%{UUID:session_id}

system · April 3, 2018, 9:06pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.