Hello Experts,
I've Just started evaluating the ELK and working great , we are trying to get this product to be used. I'm using 6.5 Version.
Below are log patterns..
oradb001,10/03/22,00:29,00-mins
oradb002,11/03/21,18:09,-mins
So, When I'm trying the below grok on the above log pattern, its gives below shown results..
%{HOSTNAME:hostname},(?<datetime>\d{2}/\d{2}/\d{2},\d{2}:\d{2}),(%{NUMBER:duration}-mins)?(%{NUMBER:duration_hrs}-hrs)?
Result for the First line of text as follows..
{
"duration": "00",
"hostname": "oradb001",
"datetime": "11/03/21,18:09"
}
While for the Second line it produces below..
{
"hostname": "oradb001",
"datetime": "11/03/21,18:09"
}
Second approach with just changing grok..
%{HOSTNAME:Hostname},%{DATE:Date},%{HOUR:Time_h}:%{MINUTE:Time_m},%{NUMBER:duration}-%{WORD:tt}
Result:
{
"duration": "00",
"tt": "mins",
"Time_h": "18",
"Hostname": "oradb001",
"Time_m": "09",
"Date": "11/03/21"
}
%{HOSTNAME:Hostname},%{DATE:Date},%{HOUR:Time_h}:%{MINUTE:Time_m},-%{WORD:Duration}
Result:
{
"Time_h": "18",
"Hostname": "oradb001",
"Time_m": "09",
"Duration": "mins",
"Date": "11/03/21"
}
Desired:
{
"hostname": "oradb001",
"datetime": "11/03/21,18:09"
"duration":"-mins"
}
OR
{
"hostname": "oradb001",
"datetime": "11/03/21,18:09"
"duration":"00-mins"
}