Help with Date

debarun · November 16, 2016, 11:17am

Hi,

I need to replace the time coming from the logs to timestamp field.

But i keep getting a parse failure.

The loglines look like

Time Stamp 11/14/16 15:14:25 Event Number 2004

I am using the following filters:-

grok {
patterns_dir => [ "/etc/logstash/conf.d/pattern" ]
match => [ "message","Time Stamp %{DATE:logdate} %{TIME:logtime} Event Number %{NUMBER:enevtnumber} ]
}

mutate {
add_field => {
"timestamp" => "%{logdate} %{logtime}"
}}

date {
locale => "en"
match => [ "timestamp" , "dd/mm/yy HH24:mi:ss" ]
}

debarun · November 16, 2016, 5:23pm

Hi,

Any help is welcome.

Regards,
Debarun.

txisme · November 16, 2016, 5:47pm

i have this and it works:

 date
                    {
                            match => ["time3", "UNIX_MS"]
                                    target => "myTime"
                    }

so try to add the target line to create your timestamp variable.

Hans · November 17, 2016, 5:49pm

Maybe this will work for you:
date { locale => "en" match => ["timestamp", "dd/MM/YY HH:mm:ss", "ISO8601"] timezone => "Africa/Windhoek" target => "@timestamp" add_field => { "debug" => "timestampMatched"} }

aeva_assured · November 17, 2016, 7:19pm

In the example you posted you are missing the trailing quotation in your match pattern.

should be

debarun · November 18, 2016, 11:07am

Hi Guys,

Thanks for the response.

@Hans

This one worked , Thanks once again.

regards,
Debarun

system · December 16, 2016, 11:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.