I'm sure I'm overthinking this and missing something..
I'm getting logs from a tomcat application where the timestamp is in this format:
2016-07-18 17:55:23.423 -0400
Right now, I'm parsing them as 2 separate fields (@timestamp and OFFSET) and I would like to either
A) parse them together with grok,
or
B) use the date block to combine them somehow.
The end result is I want to have a date object that has taken the offset into account.
Hey David,
I have experienced this before.
What you need to do is encapsulate them like this:
(?%{DATE} %{TIME})
What happens here is it says, that I have a TIME and DATE format. And if there is, I need them to be Concatenated and call them "variableName".
I use this Handy tool, http://grokdebug.herokuapp.com/ so I dont have to keep running Logstash.
Thanks,
(?%{DATE} %{TIME})
Always format stuff like this as code so it comes out the way you intended. I'm pretty sure you meant this:
(?<timestamp>%{DATE} %{TIME})
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.