I want to use "yyyy-MM-dd" from current time.
Please teach me how to do it.
Raw log.
9:36:02 (tableau) (@tableau-SLOG@) === Memory Usage Info ===
I use below grok.
grok {
match => { "message" => "%{TIME:Time} %{GREEDYDATA:Message}" }
}
Are you saying you have a log file format that only includes the time, so you want to add the current date to it when building [@timestamp] ?
Raw log have only time of "HH:mm:ss".
I want to add yyyy-MM-dd the %{TIME:Time} field.
You could use
ruby { code => 'event.set("[@metadata][date]", Time.now.strftime("%Y-%m-%d")' }
mutate { add_field => { "[@metadata][timestamp]" => "%{[@metadata][date]} %{time}" } }
date { match => [ "[@metadata][timestamp]", "YYYY-MM-dd HH:mm:ss" ] }
However, if an event arrives on 2021/04/03 00:00:01 which has the time set to 23:59:59 this will result in @timestamp being set to 2021/04/03 23:59:59, which is obviously wrong. You can write some logic to improve the guessed date, but that is not easy. There are open issues around guessing dates in the date filter here, here, and here. They might give you some ideas around pitfalls the logic will need to avoid.
Thanks reply, Badger.
But, I decided use @timestamp due to I want raw time.
grok {
match => { "message" => "%{GREEDYDATA:Message}" }
}
mutate {
copy => { "@timestamp" => "Time" }
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.