Not sure what you mean by this. Using
dissect { mapping => { "message" => "<%{pri}>%{number}: %{[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} : %{messageTag}: %{[@metadata][restOfLine]}" } }
date { match => [ "[@metadata][timestamp]", "MMM dd YYYY HH:mm:ss.SSS ZZZ" ] }
kv { field_split_pattern => "[\[\]]+" trim_key => " " }
I get
{
"messageTag" => "%UC_AUDITLOG-6-AdministrativeEvent",
"ClientAddress" => "xx.xx.xx.xx",
"CompulsoryEvent" => "No",
"ComponentID" => "Cisco CCM Servicability",
"AuditDetails" => "Attempt to access data was successful.User is authorized to access auditconfig",
"Node ID" => "cucm-pub",
"ResourceAccessed" => "CUCMServiceability",
"pri" => "190",
"EventStatus" => "Success",
"App ID" => "Cisco Tomcat",
"Severity" => "6",
"@timestamp" => 2020-06-08T07:09:37.449Z,
"AuditCategory" => "AdministrativeEvent",
"number" => "161",
"UserID" => "admin",
"EventType" => "UserAccess"
}
{
"messageTag" => "%UC_CALLMANAGER-6-EndPointUnregistered",
"Cluster ID" => "StandAloneCluster",
"Reason Code" => "9",
"IPAddressAttributes" => "0",
"Node ID" => "cucm-pub",
"pri" => "190",
"App ID" => "Cisco CallManager",
"Device type" => "36248",
"@timestamp" => 2020-06-08T09:34:14.578Z,
"Device IP address" => "xx.xx.xx.xx",
"number" => "656",
"Protocol" => "SIP",
"Device description" => "phone 1",
"Device name" => "MY_DEVICE"
}
What do you not like about that?