Timestamp parsing in CCM logs


(Micke) #1

Hello,
Trying to parse the date in logstash on logs from ccm logs (System Center Configuration Manager).
Example row:

<![LOG[Successfully raised pending event]LOG]!><time="20:01:33.961-60" date="10-28-2018" component="CCMEXEC" context="" type="1" thread="6300" file="eventprovider.cpp:384">

Two questions:

  1. Is there a way to build the timestamp from the time and date format without getting all the separate date and time values in the 6+ fields and then matching them together?
  2. I want to include the milliseconds-part. How do i do this?

Will Elasticsearch approve if i send a timestamp that looks like this:
2018-10-28 20:01:33.961 (dont know what the last -60 is!? Nano-seconds? Ticks?)


(Micke) #2

Just found out that the time is formatted in Three ways:
yyyy-MM-dd HH:mm:ss.SSS-60
yyyy-MM-dd HH:mm:ss.SSS-120
yyyy-MM-dd HH:mm:ss.SSSSSSS

So guess i have to get the first Three of SSS and throw away the other. Dont know what the -60 and -120 is.

Any ideas out there in the Community?