Hi,
I'm parsing a log file (flexlm debug.log) and I need to combine 2 fields from different lines.
Basically, I need to extract the date (Mon Mar 09 2020) and add it to the timestamp that appear in each line, for example, 00:12:24
So I will get Mon Mar 09 2020 00:12:24
Log file example:
0:06:46 (cdslmd) (@cdslmd-SLOG@) Time: Mon Mar 09 2020 00:06:46 UTC 0:06:46 (cdslmd) (@cdslmd-SLOG@) In-house operation time, when, #concurrent clients 0:06:46 (cdslmd) (@cdslmd-SLOG@) 0:06:46 (cdslmd) (@cdslmd-SLOG@) === Active Connections Info === 0:06:46 (cdslmd) (@cdslmd-SLOG@) Peak active connections #535 attempted at Sun Mar 08 2020 17:09:52 UTC 0:06:46 (cdslmd) (@cdslmd-SLOG@) 0:06:46 (cdslmd) (@cdslmd-SLOG@) =============================================== 0:12:24 (cdslmd) DENIED: "Virtuoso_Acceler_Parallel_sc" yur@flexx603 (Licensed number of users already reached. (-4,342))
There was a solution flexlm-license-elk that uses memorize which is a deprecated plugin and use an old Logstash version.
I was able to write grok patterns to match both lines, but I'm failing to extract the date and merge it with the timestamp
My filter setting in logstash.conf:
filter {
grok {
match => [ "message", "%{DATA:checkoutTime} \(%{DATA:vendorName}\) (?<action>(DENIED))\: \"%{DATA:featureName}\" %{DATA:userName}@%{HOSTNAME:serverName}.* \(%{GREEDYDATA:reason}\." ]
}
mutate { remove_field => ["@version", "@timestamp", "host", "message"] }
}
I able to parse the date with:
grok {
match => ["message", "(?<date>%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}\s*(?:[APMCE][SD]T|UTC))"]
}
Please assist!
Thanks.