Compliance with Logstash date log format
I have this log that prints the date format that looks like this:
= Build Stamp: 10:45:33 On Apr 4 2014 =
So I ran the filter on grok debugger but still don't know how to remove the word On
grok {
patterns_dir => "./patterns"
match => { "message" => "%{F_TIMESTAMP:timestamp}" }
}
date {
match => [ "timestamp" , "HH:mm:ss MMM d yyyy" , "HH:mm:ss MMM dd yyyy" ]
locale => "en"
}
pattern file,
F_TIMESTAMP %{TIME} \On %{MONTH} +%{MONTHDAY} %{YEAR}
My current output for a timestamp would be
10:45:33 AM Apr 4, 2014 on the grok debugger.
Then how can I make it consistent / match logstash @timestamp?
+3
source to share
1 answer
You can extract each part of the date and concatenate into another field without the On keyword.
This can be done as follows:
filter {
grok {
match => { "message" => "%{F_TIMESTAMP}" }
}
mutate {
add_field => {
"timestamp" => "%{time} %{month} %{monthday} %{year}"
}
}
date {
match => [ "timestamp" , "HH:mm:ss MMM d yyyy" , "HH:mm:ss MMM dd yyyy" ]
locale => "en"
}
mutate {
remove_field => [ "time" ,"month","monthday","year","timestamp"]
}
}
F_TIMESTAMP %{TIME:time}\s*On\s*%{MONTH:month}\s*%{MONTHDAY:monthday}\s*%{YEAR:year}
His work is wonderful to me.
+7
source to share