Remove chars from Date/String

Elastic Stack Logstash
1

I want to remove "-03:00" from the input "2019 May 16 13:27:49 -03:00"
The complet config is :

        input
        {
        	udp 
        	{
        		port => 5141 
        		type  => "syslog"
        		tags  => ["imsva"] 
        		codec => plain { charset=>"UTF-8" }

        	}
        }

filter
{
	if "imsva" in [tags]
	{
		csv 
		{
			source => "message"
            columns => 
			[ 
				"transacao","data1","data2","data3","campo5","id","id2","campo8","remetente",
				"destinatario","assunto","host_origen","host_destino","resposta_server",
				"status","campo16","campo17","campo18","data4","data5","campo21","campo22","anexo"
            ]
			separator => "#011"
        }
		
		date {
				match => [ "data1", "yyy MMM dd HH:mm:ss" ]
				target => "data1"
			}
		date{
				match => [ "data3", "yyy MMM dd HH:mm:ss" ]
				target => "data3"
			}
		date{
			match => [ "data4", "yyy MMM dd HH:mm:ss" ]
			target => "data4"
			}
		date{
			match => [ "data5", "yyy MMM dd HH:mm:ss" ]
			target => "data5"
			 } 

#       mutate 
#		{
#			convert => [ "transacao", "string" ]
#			convert => [ "id", "string" ]
#			convert => [ "campo5","string"]
#			convert => [ "id2","string"]
#			convert => [ "campo8","string"]
#			convert => [ "remetente","string"]
#			convert => [ "destinatario","string"]
#			convert => [ "assunto","string"]
#			convert => [ "host_origen","string"]
#			convert => [ "host_destino","string"]
#			convert => [ "resposta_server","string"]
#			convert => [ "status","string" ]
#			convert => [ "campo16","string" ]
#			convert => [ "campo17","string" ]
#			convert => [ "campo18","string" ]
#			convert => [ "campo21","string" ]
#			convert => [ "campo22","string" ]
#			convert => [ "anexo", "string" ]
#		}

        if "tjsc.jus.br" in [destinatario] 
		{		
			mutate 
			{
				add_field=>{"message_direction" => "incoming"}
			}
        }
        else{
				mutate
                {
					add_field=>{"message_direction" => "outgoing"}
                }
			} 
				
		mutate 
		{
			remove_field => [ "message" ]
		}
    }
}

output
{
	if "imsva" in [tags]
	{
		elasticsearch
		{
			index => "imsva_message"
			hosts => "localhost:9200"
        }
	}
}

And the input is :

NormalTransac#0112019 Apr 29 13:31:00 -03:00#0112019/04/29 13:31:02 -03:00#0112019 
Apr 29 13:31:02 -03:00#0111556555451331.83794@tjsc.jus.br#0117258FCC2-87AD-CF05-831F-A6E84C2A914E#01149E9F2C6A1#0112#011matheus.trevisol@tjsc.jus.br#011dpicara@pc.sc.gov.br#011Encaminha documentação - relativo descumprimento medidas#011svmnt-beexc-01.tjsc.ad[10.18.12.78]#011smtp.sc.gov.br[200.19.215.15]:25#011250 2.0.0 Ok: queued as 6C8FC1D207E#011sent#01100100000000000000#0110#011#0112019 Apr 29 13:31:02 -03:00#0112019 Apr 29 13:31:01 -03:00#011#0113#011intimação Rodrigo de Oliveira autos 2915-02.pdf;  pedido e decisão Rodrigo de Oliveira autos 2915-02.pdf
2

Please edit your post, select the configuration, and click on </> in the toolbar above the edit pane. You should see a significant change in the preview pane to the right. Then do the same for the input.

3

Its working, this is the configure:

input 
{
	udp 
	{
		port => 5141 
		type  => "syslog"
		tags  => ["imsva"] 
		codec => plain { charset=>"UTF-8" }

	}
}

filter
{
	if "imsva" in [tags]
	{
		csv 
		{
			source => "message"
            columns => 
			[ 
				"transacao","data1","data2","data3","campo5","id","id2","campo8","remetente",
				"destinatario","assunto","host_origen","host_destino","resposta_server",
				"status","campo16","campo17","campo18","data4","data5","campo21","campo22","anexo"
            ]
			separator => "#011"
        }
		
		csv
		{
			source => "data1"
			columns => 
			[
				"data_1","fuso_horario_1"
			]
			separator => " -03"
		
		}
		
		csv
		{
			source => "data2"
			columns => 
			[
				"data_2","fuso_horario_2"
			]
			separator => " -03"
		
		}
		
		csv
		{
			source => "data3"
			columns => 
			[
				"data_3","fuso_horario_3"
			]
			separator => " -03"
		
		}
		
		csv
		{
			source => "data4"
			columns => 
			[
				"data_4","fuso_horario_4"
			]
			separator => " -03"
		
		}
		
		csv
		{
			source => "data5"
			columns => 
			[
				"data_5","fuso_horario_5"
			]
			separator => " -03"
		
		}
		
#		date {
#				match => [ "data_1", "yyyy MMM dd  HH:mm:ss" ]
#				match => [ "data_3", "yyyy MMM dd  HH:mm:ss" ]
#				match => [ "data_4", "yyyy MMM dd  HH:mm:ss" ]
#				match => [ "data_5", "yyyy MMM dd  HH:mm:ss" ]
#			 } 


        if "tjsc.jus.br" in [destinatario] 
		{		
			mutate 
			{
				add_field=>{"message_direction" => "incoming"}
			}
        }
        else{
				mutate
                {
					add_field=>{"message_direction" => "outgoing"}
                }
			} 
				
		mutate 
		{
			remove_field => [ "message" ]
			remove_field => [ "data1" ]
			remove_field => [ "data2" ]
			remove_field => [ "data3" ]
			remove_field => [ "data4" ]
			remove_field => [ "data5" ]
			remove_field => [ "fuso_horario_1" ]
			remove_field => [ "fuso_horario_2" ]
			remove_field => [ "fuso_horario_3" ]
			remove_field => [ "fuso_horario_4" ]
			remove_field => [ "fuso_horario_5" ]
		}
    }
}

output
{
	if "imsva" in [tags]
	{
		elasticsearch
		{
			index => "imsva_message"
			hosts => "localhost:9200"
        }
	}
}
4

You could remove them before the csv filter.

mutate { gsub => [ "message", " -03:00", "" ] }
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.