How to remove date and time in message

Roccof97 · January 13, 2022, 1:42pm

Hi,

how can i remove the date and time from the message field? and above all is it possible?
example screen shot:

Tomo_M · January 13, 2022, 2:38pm

I suppose it is possible using grok filter plugin with logstash while ingestion.

Roccof97 · January 13, 2022, 2:45pm

i'm already using the grock filter but i can't figure out how to remove the date from the message i tried the gsub function but i didn't succeed here is the example:

if [fields][log_type] == "maillog" {
grok {
break_on_match => false
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}" }
}
date { match => [ "timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
mutate {

   gsub => ["message", "\d{3} \d{2} \d{2}:\d{2}:\d{2}", ""]

}

leandrojmp · January 13, 2022, 2:59pm

You can use the dissect filter to parse your original message field and override it with everything else except the date.

     dissect {
         mapping => {
             "message" => "%{} %{} %{}:%{}:%{} %{message}"
         }
     }

This will transform any message with the format:

MMM dd HH:mm:ss some text from your message

Into

some text from your message

For example, Jan 13 14:59:30 sample text will become sample text.

system · February 10, 2022, 3:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.