Timestamp from filename

SusantaBN · October 31, 2018, 10:44pm

I have a requirement to put the timestamp on log file name and subsequently extract the timestamp from filename and add as a field in the elastic search index.

e.g. file name: 2018-10-31_13-11-25.33.csv

My custom grok

SUS_DATE %{YEAR}-%{MONTHNUM}-%{MONTHDAY}_%{HOUR}-%{MINUTE}-%{SECOND}

Conf file contents
input{
file{
path =>"D:/ELK_Stack/data/DLS/HM/*.csv"
start_position =>"beginning"
}
}
filter{
grok {
patterns_dir => "./patterns"
match => ["path","D:/ELK_Stack/data/%{DATA:srvtyp}/%{DATA:srvloc}/%{SUS_DATE:dattim}.csv" ]
}
date {
match => ["dattim","YYYY-MM-dd_HH-mm-ss.SS"]
}

But I always get dattim in type text instead of date.

Capture

I work on windows OS. Any help to convert dattim to type DATE would be highly appreciated.

tamara · October 31, 2018, 11:08pm

You have the wrong date format change the date filter from:

match => ["dattim","YYYY-MM-dd_HH-mm-ss.SS"]

to

match => ["dattim","yyyy-MM-dd_HH-mm-ss.SS"]

SusantaBN · November 1, 2018, 7:58pm

Thanks a lot Tamara. Solution worked well.

system · November 29, 2018, 7:58pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.