Looking to parse vmstat data using Logstash. There will be a timestamp at the beginning of each interval, followed by metrics. Here, i need a timestamp value from vmstat data so that i can use it to overwrite the default Logstash timestamp (@timestamp).
Input data:
Mon Apr 04 01:33:13 EDT 2016
r b swpd free buff cache si so bi bo in cs us sy id wa st
2 0 5172 174696 32256 231448 0 0 42 112 29 35 0 0 99 0 0
0 0 5172 174684 32256 231448 0 0 0 0 12 16 0 0 100 0 0
0 0 5172 174684 32256 231448 0 0 0 0 7 8 0 0 100 0 0
0 0 5172 174684 32256 231448 0 0 0 0 9 10 0 0 100 0 0
0 0 5172 174684 32256 231448 0 0 0 0 8 10 0 0 100 0 0
0 0 5172 174684 32256 231448 0 0 0 0 9 10 0 0 100 0 0
0 0 5172 174684 32256 231448 0 0 0 0 7 8 0 0 100 0 0
Using grok filter, i was able to match the metrics but in the output i can see the timestamp value as Logstash started processing timestamp. I need the same timestamp for the subsequent events also. So, trying to solve this problem.
Expected output:
{
"host" => "hostname",
"timestamp": "Mon Apr 04 01:33:13 EDT 2016",
"r" => 2,
"b" => 0,
"swpd" => 5172,
"free" => 174696
...
}
{
"host" => "hostname",
"timestamp": "Mon Apr 04 01:33:15 EDT 2016",
"r" => 0,
"b" => 0,
"swpd" => 5172,
"free" => 174684
...
}