How should I filter this date?

AbelAlejandro · August 12, 2021, 10:08am

My logs are TSVs that look like the following:

|timestamp_fmt|timestamp_ms|key|tictoc_ms|mem_jvm|mem_phy_os|tags|comment|
|---|---|---|---|---|---|---|---|
|2021-08-11T13-55-39.202|1628682939202|SCENARIO|TIC|4548715304|11172929536||Dashboard-SomeTest|
|2021-08-11T13-55-39.207|1628682939207|STEP|TIC|4548715304|11172954112||I login as 'admin'|

But there's a T in my Date and I when I try to add that date format it is not correctly recognized by Elastic.

filter {
  grok {
    match => ["message", "%{DATA:timestamp} .*"]
  }
  date {
    match => ["timestamp", "HH:MM:ss.SSSZZZ"]
  }
}

Badger · August 12, 2021, 3:16pm

The pattern has to match every single character in the field it is trying to parse.

The grok makes no sense to me. It is not going to find a space to terminate the [timestamp] field until it gets to I login as 'admin'.

system · September 9, 2021, 3:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.