Hello, bare with me, I'm fairly new to the stack and have a simple question.
I have the following log lines in different files:
2017-03-17 22:25:04 My log
and sometimes:
2017-03-17 22:25:04,123 another log line...
I tried with something like this, which of course did not work;
grok {
patterns_dir => ["patterns_path"]
match => { "message" => "(?:\s*)%{DATESTAMP:timestamp}(?:\s*)%{GREEDYDATA:Message}" }
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss", "yyyy-MM-dd HH:mm:ss,SSS", ISO8601 ]
locale => "sv_SE"
}
mutate {
add_field => {
"timestamp" => logtime
}
}
Anyone care to shed som light into this?
paz
March 17, 2017, 1:55pm
2
I suppose you want to have the parsed timestamp in the "logtime" field?
Provided your grok pattern works fine, something like this should work.
grok {
patterns_dir => ["patterns_path"]
match => { "message" => "(?:\s*)%{DATESTAMP:timestamp}(?:\s*)%{GREEDYDATA:Message}" }
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss", "yyyy-MM-dd HH:mm:ss,SSS", ISO8601 ]
locale => "sv_SE"
target => "logtime"
}
No need for a mutate filter, which by the way the correct syntax is
mutate {
add_field => {
"field1_name" => %{field2_value}
}
}
DATESTAMP is the wrong pattern. Try TIMESTAMP_ISO8601 instead.
Thanks a lot, guys. I'm pleasantly surprised by the level of support here. I will definitely spread the word.
system
April 14, 2017, 2:35pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.