Hi,
I have still problem to get right timestamp in elastic.
One Row of log looks like:
20210611 111146 SOME Date Field ...
I tried:
grok {
match => [ "message" , "%{DATA:timestamp}" ]
}
date {
match => [ "timestamp","yyyyMMdd HHmmss" ]
timezone => [ "Europe/Berlin" ]
target => "@timestamp"
}
}
Still no chance to get right date format into timestamp
any ideas?
Regards
Axel
Try custom date format, similar to DATESTAMP_EVENTLOG
grok {
match => { "message" => [ "%{DATELOG:timestamp} %{GREEDYDATA}"] }
pattern_definitions => { "DATELOG" => "%{YEAR}%{MONTHNUM2}%{MONTHDAY} %{HOUR}%{MINUTE}%{SECOND}}" }
}
thank you .. unfortunately doesn't working.
filter {
if "fb-uc4" in [tags] {
grok {
match => { "message" => [ "%{DATELOG:timestamp} %{GREEDYDATA}"] }
pattern_definitions => { "DATELOG" => "%{YEAR}%{MONTHNUM2}%{MONTHDAY} %{HOUR}%{MINUTE}%{SECOND}}" }
}
}
}
I receive grok parse failure
REgards
Axel
True, my appology, extra } after SECOND. You don't need %{GREEDYDATA}, it's optional.
grok {
match => { "message" => [ "%{DATELOG:timestamp} "] }
pattern_definitions => { "DATELOG" => "%{YEAR}%{MONTHNUM2}%{MONTHDAY} %{HOUR}%{MINUTE}%{SECOND}" }
}
date {
match => ["timestamp", "YYYYMMdd HHmmss"]
timezone => "Europe/Berlin"
target => "timestamp"
}
Result:
{
"@timestamp" => 2023-02-03T14:07:38.710260900Z,
"message" => "20210611 111146 SOME Date Field",
"timestamp" => 2021-06-11T09:11:46.000Z
}
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.