Timestamp out of UNIXpath

Hello,
i try to get a new timestamp which i want to read from a unixpath. I tested with the Grok Debugger. I got smth. what worked, but I think there are better solutions for this.

My sample data:

/home/user/file.1.2018.12.22-08.20.log

My Grok Pattern:

%{UNIXPATH:path}%{YEAR:year}.%{MONTHNUM:month}.%{MONTHDAY:day}-%{HOUR:hour}.%{MINUTE:minute}.%{GREEDYDATA:data}

gives the following json:

{
"month": "12",
"data": "log",
"year": "18",
"path": "/home/user/file.1.20",
"day": "22",
"hour": "08",
"minute": "20"
}

Is there a way which is more elegant? How is it possible to get the year with 4 digits?

Best regards

This gave me a 4 digit year

%{UNIXPATH:path}%{NUMBER}.%{YEAR:year}.%{MONTHNUM:month}.%{MONTHDAY:day}-%{HOUR:hour}.%{MINUTE:minute}.%{GREEDYDATA:data}

{
  "path": "/home/user/file",
  "month": "12",
  "hour": "08",
  "data": "log",
  "year": "2018",
  "day": "22",
  "minute": "20"
}

weird, i got error when trying this. after reloading 5 times it works...thank you

I created the 4 digit year with this:

%{UNIXPATH:path}[1.]%{YEAR:year}.%{MONTHNUM:month}.%{MONTHDAY:day}-%{HOUR:hour}.%{MINUTE:minute}.%{GREEDYDATA:data}

Is it possible to create a new @timestamp with my new fields?

Best regards

Don't use UNIXPATH. You can replace it with (?:[^.]+)

To set @timestamp use

mutate { add_field => { "ts" => "%{year}/%{month}/%{day} %{hour}:%{minute}" } }
date { match => [ "ts", "yyyy/MM/dd HH:mm" ] }

This works perfectly, thank you very much.
When I start my new config (at the moment the one with the old(wrong) timestamp runs), I can't see the changed timestamp. I refreshed my index pattern and the new field is there but I can't see it in the kibana details. When I create a new index the new timestamp works perfectly. Is there a way get the new timestamp works on my "old" index?

I think you would have to re-index.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.