Grok Timezone/DateTime parsing issues

alilland · June 26, 2018, 7:21pm

I have logs that are spitting out in the following format:

[2018-06-24 07:00:03 -0700] DEBUG - CrewManagement::API - backbone:sync_tokens - {\"description\":\"Sync local tokens with Backbone-Auth - 114\",\"success\":true}

I have messed around with the Grok Debugger, and I can extract everything except the -0700 part. I need to extract the Timestamp and convert it into a UTC date for kibana to see

I'm currently stuck on

%{TIMESTAMP_ISO8601:event_timestamp} %{DATA:timezone}

# -------- which computes to the following --------
{
  "event_timestamp": [
    ["2018-06-24 07:00:03"]
  ],
  "YEAR": [
    ["2018"]
  ],
  "MONTHNUM": [
    ["06"]
  ],
  "MONTHDAY": [
    ["24"]
  ],
  "HOUR": [
    [ "07", null]
  ],
  "MINUTE": [
    ["00", null]
  ],
  "SECOND": [
    ["03"]
  ],
  "ISO8601_TIMEZONE": [
    [null]
  ],
  "timezone": [
    [""]
  ]
}

Badger · July 2, 2018, 7:47pm

I would do that using dissect.

    dissect { mapping => { "message" => "[%{ts} %{+ts} %{+ts}] %{level} - %{something} - %{somethingElse} - %{restOfLine}" } }
    date { match => [ "ts", "yyyy-MM-dd HH:mm:ss Z" ] }

system · July 30, 2018, 7:47pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.