Grok timestamp

Elastic Stack Logstash
1

20170118154716225
plz what is its format in grok ?

2

to notice i want it to be a date
YYYYMMDDHHmmssSSS

3

For example (?<timestamp>%{YEAR}%{MONTHNUM}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}\d+).

Of course, this string also happens to be an integer so unless you want validation that the input string really is a YYYYMMDDHHmmssSSS timestamp you can just do %{INT:timestamp}.

4

hi magnus
i think you didn t understand me
i want the input to be YYYYMMDDHHmmssSSS (for example 20170118154716225)
and i want the grok to consider it as date

5

You have a log where each line contains a timestamp like e.g. 20170118154716225, yes? Then the grok expression samples I gave will extract that into a field named timestamp that you can feed to the date filter.

6

okay thank you magnus !!!

7

just one thing magnus plz
where i put
(?%{YEAR}%{MONTHNUM}%{MONTHDAY}%{HOUR}%{MINUTE}%{SECOND}\d+). ?

8

In your grok expression in your grok filter. The (?<fieldname>...) syntax I used is described in the grok filter documentation.

9

sory i didn t understand this is my grok
grok {
match => ["message","%{TIMESTAMP_ISO8601:datePvin} : %{UUID:id} %{INT:daterecepPvin} %{NUMBER:datefintraitPvin} %{NUMBER:delai} %{WORD:nomFlux} %{GREEDYDATA:evts} %{WORD:BU} %{NUMBER:reforigin} %{NOTSPACE:contractoidval} %{DATA:useroidval} %{DATA:errorStatus} %{GREEDYDATA:errorDesc} %{NOTSPACE:servname}"] }

and i want to do this treatment on %{INT:daterecepPvin} how the grok will become ?

10

So you're already capturing the timestamp into the daterecepPvin field? What more do you want to achieve?

11

i don t want it to be INT but a DATE

12

The grok filter doesn't create dates. It creates strings, integers, and floats. If you the timestamp you have to become a date in ES you need to adjust your mappings or use the date filter to convert it into a string that ES will recognize as a date out of the box.

13

i didn t recognize how to use the date filter i tried this grok {

		match => ["message","%{TIMESTAMP_ISO8601:datePvin} : %{UUID:id} %{timeStamp:daterecepPvin} %{NUMBER:datefintraitPvin} %{NUMBER:delai} %{WORD:nomFlux} %{GREEDYDATA:evts} %{WORD:BU} %{NUMBER:reforigin} %{NOTSPACE:contractoidval} %{DATA:useroidval} %{DATA:errorStatus} %{GREEDYDATA:errorDesc} %{NOTSPACE:servname}"]

}
date {

match => [ "daterecepPvin" , "YYYYMMDDHHmmssSSS" ]

}

}

but it didn t work

14

Check the Logstash log. If the date filter fails it'll give you clues.

15

ok thanks