Hi,
I am using filebeat to send lines from a dhcp log (from windows server dhcp), and i am trying to replace the @timestamp field. Here is an example line from the dhcp log file:
11,12/14/17,14:22:04,Renew,10.1.65.60,pcname.domain.com,00A0D4645F14,,3853582496,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0
Using this filter:
filter {
if [type] == "dhcp" {
grok {
patterns_dir => "/etc/logstash/conf.d/patterns"
match => { "message" => "%{NUMBER:dhcpevent},%{DHCPDATE:timestamp},%{WORD:dhcpaction},%{IP:clientip},%{DATA:hostname},%{WORD:macaddress}" }
}
#turn timestamp from grok into @timestamp
date {
match => [ "timestamp", "dd/MM/yy,HH:mm:ss" ]
target => "@timestamp"
}
}
}
And this grok pattern: DHCPDATE %{MONTHNUM}/%{MONTHDAY}/%{YEAR},%{TIME}
But it is not working, here is the rubydebug output:
{
"offset" => 1935569,
"input_type" => "log",
"dhcpevent" => "11",
"source" => "C:\\Windows\\System32\\dhcp\\DhcpSrvLog-Thu.log",
"message" => "11,12/14/17,14:22:04,Renew,10.1.65.60,pcname.domain.com,00A0D4645F14,,3853582496,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0",
"type" => "dhcp",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_dateparsefailure"
],
"hostname" => "pcname.domain.com",
"@timestamp" => 2017-12-14T13:23:02.140Z,
"clientip" => "192.168.5.60",
"@version" => "1",
"beat" => {
"hostname" => "somehostname",
"name" => "somehostname",
"version" => "5.4.0"
},
"host" => "somehostname",
"macaddress" => "00A0D4645F14",
"dhcpaction" => "Renew",
"timestamp" => "12/14/17,14:22:04"
}
What am i doing wrong?