I have this log that print the date format that looks like this:
= Build Stamp: 10:45:33 On Apr 4 2014 =
So i have run the filter on grok debugger but still clueless on how to remove the word On
grok {
patterns_dir => "./patterns"
match => { "message" => "%{F_TIMESTAMP:timestamp}" }
}
date {
match => [ "timestamp" , "HH:mm:ss MMM d yyyy" , "HH:mm:ss MMM dd yyyy" ]
locale => "en"
}
pattern file,
F_TIMESTAMP %{TIME} \On %{MONTH} +%{MONTHDAY} %{YEAR}
My current output for timestamp would be
10:45:33 On Apr 4 2014 on grok debugger.
Then how can i make it compatible/match with logstash @timestamp ?
You can extract each part of date time and combine in another field without On keyword.
You can achieve this following :
filter {
grok {
match => { "message" => "%{F_TIMESTAMP}" }
}
mutate {
add_field => {
"timestamp" => "%{time} %{month} %{monthday} %{year}"
}
}
date {
match => [ "timestamp" , "HH:mm:ss MMM d yyyy" , "HH:mm:ss MMM dd yyyy" ]
locale => "en"
}
mutate {
remove_field => [ "time" ,"month","monthday","year","timestamp"]
}
}
F_TIMESTAMP %{TIME:time}\s*On\s*%{MONTH:month}\s*%{MONTHDAY:monthday}\s*%{YEAR:year}
Its working fine for me.