For start I'm trying to separate datetime to a separate field and most likely make it a timestamp in kibana.
He is an example of my log:
2024-10-27 22:00:32.289 [DefaultQuartzScheduler_Worker-5] DEBUG c.c.t.s.a.f.t.i.SomeMethod[run()][line 154]: Some log message here "with quatation" or without
in logstah.conf I have grok expression like this:
filter {
if [type] == "logfile" {
grok {
match => { 'message' => "%{DATA:fc_timestamp}" }
}
date {
match => [ "fc_timestamp", "yyyy-MM-dd HH:mm:ss.SSS"]
target => "fc_timestamp"
}
}
}
Unfortunately it doesn't create fc_timestamp field in index.
Whole grok which I tested in some grok debbuger and it seems to work is:
DATA can match anything, including nothing at all. If you add keep_empty_captures => true to the grok filter then you will see that "nothing at all" is exactly what it is matching.
"fc_timestamp" => "",
So you need to modify the pattern to force DATA to capture something. If you use %{DATA:fc_timestamp} with a trailing space then you will get
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.