How to Parse and Copy a Field

MultiplierMultiplier · January 3, 2018, 12:35pm

I have the TimeStamp field and I would like to extract the hour of the day so that I can look for out of hours user activity.

Jan 3 12:09:01

filter {
grok {
match => { "TimeStamp" => "%{WORD}\s%{NUMBER}\s%{NUMBER:HourOfDay}:%{NUMBER}:%{NUMBER}" }
}
}

At the top you can see an example of TimeStamp and below is how I would go about parsing it. I would like to however on parse the hour of the day into the new field HourOfDay and then keep the TimeStamp field as is.

Would this grok config work?

Cheers,

G

magnusbaeck · January 3, 2018, 7:13pm

Would this grok config work?

Why not try it out? It looks okay but you'll probably want %{NUMBER:HourOfDay:int} to make the field an integer.

MultiplierMultiplier · January 5, 2018, 12:39pm

Hi @magnusbaeck I tried changing my config to the above and restarted Logstash, upon restarting my whole VM locked up and I had to restart the entire thing! Logstash didn't write to any of the logs (it's set to debug mode) and I had to just remove the grok pattern.

I'm unsure where to go from here.

Cheers,

G

magnusbaeck · January 5, 2018, 9:17pm

I find it very hard to believe that that configuration change crashed the whole VM.

MultiplierMultiplier · January 8, 2018, 9:14am

Hi there @magnusbaeck I think I found out why the VM crashed. Logsash log level was set to DEBUG, once I got back into the VM (as Logstash doesn't automatically start when the VM does) I found there to be around 15GB of log files created by Logstash. I will set the log level to normal and retry the grok.

Cheers,

G

system · February 5, 2018, 9:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.