The CSV contains timeStamp field whose format is "yyyy/MM/dd HH:mm:ss.SSS"
I want to capture only "yyyy/MM/dd HH:mm:ss"
Used below config but it didn't work.
filter {
if ([message] =~ "responseCode") {
drop { }
} else {
csv {
separator => ","
columns => ["timeStamp", "elapsed", "label", "responseCode", "responseMessage", "threadName", "dataType", "success", "bytes", "grpThreads", "allThreads", "URL", "Latency", "Encoding", "SampleCount", "ErrorCount", "Hostname", "IdleTime"]
}
}
date { match => ["timeStamp", "yyyy/MM/dd HH:mm:ss.SSS", "yyyy/MM/dd HH:mm:ss"]}
}
Use a mutate filter (specifically its gsub parameter) to strip the milliseconds from the timestamp field before you feed it to the date filter.
1 Like
Do you mean below to be done?
mutate {
gsub => ["timestamp", ".\d{3}", ""]
}
I get following error:
←[33mFailed parsing date from field {:field=>"timeStamp", :value=>"2015/07/10 05:52:04.586"
I configured as:
mutate {
gsub => ["timeStamp", ".\d{6}", ""]
}
date { match => ["timeStamp", "yyyy/MM/dd HH:mm:ss"]}
Periods are metacharacters in regular expressions so you need to escape them, you should anchor the match to the end of the string, and finally you should expect three digits and not six (six digits would be for microseconds). Hence:
gsub => ["timeStamp", "\.\d{3}$", ""]