Setting @timestamp once MM YYYY etc are parsed


(P Larsen) #1

I am able to grok out MM YYYY etc, the part I can't get a handle on is the logstash conf files for non-standard time formats and setting @timestamp

Sample log
\ Nov 01 2018 07:42:25: %ASA-6-106100: access-list global-in permitted tcp outside/333.33.33.33(28923)

\ filter{
\ grok {
\ match => ["message","%{MONTH:MMM} %{MONTHDAY:dd} %{YEAR:YYYY} %{HOUR:HH}:%{MINUTE:mm}:%{SECOND:ss}: ?%{GREEDYDATA:message}"]
\}

Sample Std-in to Std-out Test

Nov 01 2018 07:42:25: %ASA-6-106100: access-list global-in permitted tcp outside/333.33.33.33(28923)
{
"@version" => "1",
"host" => "hosta",
"MMM" => "Nov",
"ss" => "25",
"message" => [
[0] "Nov 01 2018 07:42:25: %ASA-6-106100: access-list global-in permitted tcp outside/180.163.220.124(28923)",
[1] "%ASA-6-106100: access-list global-in permitted tcp outside/333.33.33.33(28923)"
],
"@timestamp" => 2018-11-01T13:40:15.984Z,
"dd" => "01",
"mm" => "42",
"YYYY" => "2018",
"HH" => "07"
}


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.