How to read two different timestamp

Hi,

I am getting issue while indexing the data

My Log file :
2019-01-02 14:31:02 [00000001] info [native] Apache reports revision 2.2.8()
2019-01-02 14:31:02 [00000001] info [native] Apache reports version string (irrelevant for dtagent)
2019-01-02 14:31:02 [00000001] info [native] => Detected Apache version 2.2
[Wed Jan 02 14:31:03 2019] [notice] ---------------------------------------------------
[Wed Jan 02 14:31:03 2019] [notice] Using config
[Wed Jan 02 14:31:03 2019] [notice] foo bar

I have two different timestamp in my log file how do i index with same timestamp.

While creating an index pattern am getting two different pattern like @timestamp and date

How do i merge the date with timestamp.

Here is my config file

if[message] =~ /^20*/ {
grok { match =>{
"message" => "%{URIHOST:date} %{TIME:time} %{NAGIOSTIME:err_number} %{CISCO_REASON:loginfo}%{SYSLOG5424SD:native} %{GREEDYDATA:error_msg}"

if[message] =~ /^[.*/ {
grok { match =>{
"message" => "%{SYSLOG5424SD:logtime} %{SYSLOG5424SD:info}"
date {
match => [ "logtime" , "[EEE MMM dd HH:mm:ss yyyy]" ]
target => "@timestamp"
}

I would use dissect rather than grok.

    if [message] =~ /^\[/ {
        dissect { mapping => { "message" => "[%{ts} %{+ts} %{+ts} %{+ts} %{+ts}] [%{level}] %{restOfLine}" } }
    } else {
        dissect { mapping => { "message" => "%{ts} %{+ts} [%{loginfo}] %{level} [%{native}] %{restOfLine}" } }
    }
    date { match => [ "ts", "YYYY-MM-dd HH:mm:ss", "EEE MMM dd HH:mm:ss YYYY" ] }

@badger
Thank you for your help. Somehow i managed with grok itself.

Updated config file
mutate {
add_field => {
"logtime" => "%{date} %{time}"
}
remove_field => ["date", "time"]
}
date {
match => [ "logtime" , "yyyy-MM-dd HH:mm:ss" , "[EEE MMM dd HH:mm:ss yyyy]" ]
target => "@timestamp" }

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.