How to get filebeat source date field?

aabababba · December 5, 2018, 8:54am

like this

/home/api/log/20181205/20181205_152840.log

I want "20181205" can out put date field in logstash.

steffens · December 5, 2018, 3:44pm

The file name is forwarded in the source field to Logstash. You can use grok/dissect to extract it. Not sure if date filter can parse it in Logstash. At worst you will have to use the ruby filter.

aabababba · December 6, 2018, 1:36am

I set this ,but can't have data.

grok {
        match => {
            "source"  =>  "%{GREEDYDATA:sth1}/%{YEAR}%{MONTHNUM}%{MONTHDAY}%/{GREEDYDATA:sth2}"
             }
          }

steffens · December 6, 2018, 1:30pm

Better store the date in a field. Plus, it seems you have a syntax error in the last section.

e.g. capturing complete date into a field named ts:

grok {
        match => {
            "source"  =>  "%{GREEDYDATA:sth1}/%{PATH_TS:ts}/%{GREEDYDATA:sth2}"
         }
         pattern_definitions => {
           "PATH_TS" => "%{YEAR}%{MONTHNUM}%{MONTHDAY}"
         }

}

This gets you the fields sth1, ts, and sth2. You still must transform the ts field to a date.

aabababba · December 7, 2018, 1:56am

thanks,but 'ts' can't not get data, I use 'dissect', it work now.

system · January 4, 2019, 3:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract field from source Logstash	7	663	May 4, 2018
Get filename using beats and filter it in logstash Logstash	6	1843	August 9, 2019
Problem with data field in logstash Logstash	3	227	July 26, 2023
Unable to parse datetime from log message Logstash	5	960	February 21, 2019
_dateparsefailure csv date time YYYY-MM-dd HH:mm:ss Logstash	1	381	July 17, 2020

How to get filebeat source date field?

Related topics