Logstash Filter to combine patterns together

Hello Experts,

I've Just started evaluating the ELK and working great , we are trying to get this product to be used. I'm using 6.5 Version.

Below are log patterns..

oradb001,10/03/22,00:29,00-mins
oradb002,11/03/21,18:09,-mins

So, When I'm trying the below grok on the above log pattern, its gives below shown results..

%{HOSTNAME:hostname},(?<datetime>\d{2}/\d{2}/\d{2},\d{2}:\d{2}),(%{NUMBER:duration}-mins)?(%{NUMBER:duration_hrs}-hrs)?

Result for the First line of text as follows..

{
  "duration": "00",
  "hostname": "oradb001",
  "datetime": "11/03/21,18:09"
}

While for the Second line it produces below..

{
  "hostname": "oradb001",
  "datetime": "11/03/21,18:09"
}

Second approach with just changing grok..

%{HOSTNAME:Hostname},%{DATE:Date},%{HOUR:Time_h}:%{MINUTE:Time_m},%{NUMBER:duration}-%{WORD:tt}

Result:

{
  "duration": "00",
  "tt": "mins",
  "Time_h": "18",
  "Hostname": "oradb001",
  "Time_m": "09",
  "Date": "11/03/21"
}
%{HOSTNAME:Hostname},%{DATE:Date},%{HOUR:Time_h}:%{MINUTE:Time_m},-%{WORD:Duration}

Result:

{
  "Time_h": "18",
  "Hostname": "oradb001",
  "Time_m": "09",
  "Duration": "mins",
  "Date": "11/03/21"
}

Desired:

{
  "hostname": "oradb001",
  "datetime": "11/03/21,18:09"
  "duration":"-mins"
}

OR

   {
      "hostname": "oradb001",
      "datetime": "11/03/21,18:09"
      "duration":"00-mins"
    }

You could do that with a dissect filter. The first field is delimited by a comma, the third by a hyphen.

Thanks Badger, i will check that.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.