How to convert my time with the date filter for kibana

I need to exploit this log line:

30361  30485  494 8861012      42:42 /plw/modules/bin/Lx86_64/opx2-intranet.exe -I /plw/modules/bin/Lx86_64/opx2-intranet.dxl -H /plw/modules/bin/Lx86_64 -L /plw/PLW_PROD/modules/preload-intranet.ini -- plw-sysconsole -port 8400 -logdir /plw/PLW_PROD/httpdocs/admin/log/ -slaves 2

My goal is to recover the time it took the system to boot up, here 42:42. The problem is that the format can be mm:ss as here, or HH:mm:ss for example, 01:42:30. I'd like to know which paterne grok to use. Here's my conf file :

input {
    file { 
        path => ["/home/mathis/Documents/*]"
        start_position => "beginning"
        sincedb_path => "/dev/null"
    }
}

filter {
    grok {
        match => {"message" => ["%{NUMBER}%{SPACE}%{NUMBER}%{SPACE}%{NUMBER}%{SPACE}%{NUMBER}%{SPACE}%{TIME:starttime}"]}
        remove_field => "message"
    }
    date {
            match => [ "starttime", "HH:mm:ss","mm:ss" ]
    }
}
output {
    elasticsearch {
        hosts => "127.0.0.1:9200"
        index => "logstash-local3-%{+YYYY.MM.dd}"
    }
}

Unfortunately, the syntax of TIME is HH:mm:ss and does not include mm:ss.

Try this: The last part is the original time pattern just with optional hours.

%{NUMBER}%{SPACE}%{NUMBER}%{SPACE}%{NUMBER}%{SPACE}%{NUMBER}%{SPACE}(?<starttime>((?!<[0-9])%{HOUR}:)?%{MINUTE}(?::%{SECOND})(?![0-9]))

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.