Hi,
We are ingesting the log which is in the below format.

2019-01-17T19:01:48.440361Z D [2027:rrc_poll] {t: 3e3dc5ce-0569-11e9-b17d-06a912e3abd4} connection -- update 1 of 1 existing devices, offset 0
2019-01-17T19:01:48.559861Z I [2027:rrc_poll] {t: 3e3dc5ce-0569-11e9-b17d-06a912e3abd4} client -- response -- Status 200

Below filter is being used

filter {
if "yellow" in [tags] {
grok {
match => ["message", "%{DATA:status}: %{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:monthday}T%{TIME:time}Z: %{GREEDYDATA:detailed-message}"]
}
mutate {

gsub => ["time","\d\d\d$",""]

                   add_field => {
                           "timestamp" => "%{year}-%{month}-%{monthday}T%{time}Z"
                   }
           }
           date {
                   match => ["timestamp", "yy-MM-dd:HH:mm:ss,SSSZ", "ISO8601"]
                   target => "@timestamp"
           }
           mutate {
                   remove_field => ["month", "monthday", "year", "time", "detailed-message"]
           }
   }

}

We need to change the timestamp with actual time the logs got generated.
Can anyone please suggest me on the changes to be done in the filter.

You are making this far too complicated.

grok { "match" => { "message" => [ "^%{NOTSPACE:ts}" ] } }
date { match => [ "ts", "ISO8601"] }

Done.

"@timestamp" => 2019-01-17T19:01:48.440Z,

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.