Compliance with Logstash date log format

I have this log that prints the date format that looks like this:

=          Build Stamp: 10:45:33 On Apr  4 2014           =

      

So I ran the filter on grok debugger but still don't know how to remove the word On

grok {
patterns_dir => "./patterns"
match => { "message" => "%{F_TIMESTAMP:timestamp}" }
}

date {
match => [ "timestamp" , "HH:mm:ss MMM  d yyyy" , "HH:mm:ss MMM  dd yyyy" ]
locale => "en"
}

      

pattern file,

F_TIMESTAMP %{TIME} \On %{MONTH} +%{MONTHDAY} %{YEAR}

      

My current output for a timestamp would be

10:45:33 AM Apr 4, 2014 on the grok debugger.

Then how can I make it consistent / match logstash @timestamp?

+3


source to share


1 answer


You can extract each part of the date and concatenate into another field without the On keyword.

This can be done as follows:

filter {
    grok {         
        match => { "message" => "%{F_TIMESTAMP}" }
    }
    mutate {
        add_field => { 
            "timestamp" => "%{time} %{month} %{monthday} %{year}"
        }
    }
    date {
        match => [ "timestamp" , "HH:mm:ss MMM d yyyy" , "HH:mm:ss MMM dd yyyy" ]
        locale => "en"
    }
    mutate {
        remove_field => [ "time" ,"month","monthday","year","timestamp"]
    }
}

      



F_TIMESTAMP %{TIME:time}\s*On\s*%{MONTH:month}\s*%{MONTHDAY:monthday}\s*%{YEAR:year}

His work is wonderful to me.

+7


source







All Articles