How to format, yyyymmdd to yyyy-mm-dd in a log file?

Kulasangar_Gowrisang · August 23, 2016, 10:18am

I've started working around with the ELK tool stack since few weeks. What I need is to get the timestamp of the log event which includes date and the time and show it in a different field (ie: log_timestamp). I've tried pulling out all the options for the Datestamp, but nothing worked. This is a line of the log file which I have.

"20160805 00:00:01.296,GetProvisioning,3,W1oOOW8oj58GhglVjVNg0Ssl4CXA1P,50219--1958335734-1470326399706,SUCCESS,GetProvisioningTransactionId-01223,null,W1oOOW8oj58GhglVjVNg0Ssl4CXA1P,en,CELCOM_MY_DCB
"
I need to format the date of the log event as yyyy-mm-dd since i'm unable to use the "Date" grok filters. Or is there a way that I can filter it out with the above yyyymmdd date format which is originally there in the log file?

Any help would be appreciated.

m0n0lith · August 23, 2016, 10:52am

You could make your own version of "SYSLOGTIMESTAMP". And have that added to 'timestamp' and then do a 'date {}' on it.
Something like:
OWNTIMESTAMP %{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME}
And use it in grok like:
grok { patterns_dir => "/path/to/own-patterns/" match => [ "message", "%{OWNTIMESTAMP:timestamp},%{GREEDYDATA:rest_message}" ] } date { match => [ "timestamp", "yyyyMMdd HH:mm:ss" ] }
You can add multiple date matches. And if you like mutate to the format you want.

Kulasangar_Gowrisang · August 23, 2016, 11:04am

Thank you, it works.

Kulasangar_Gowrisang · August 23, 2016, 11:26am

May I know how could I add my pattern %{OWNTIMESTAMP} as a new field?
Tried adding this in both grok plus date filters but didn't work:

add_field => { "logtimestamp" => "%{OWNTIMESTAMP}" }