I have a field that can look like this: 23:59:47
I tried using
%{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} as a pattern, but that gives me the generic grokparsefailure.
{TIME:time} works well, but I want hour, minute and second.
filter {
grok {
match => {"message" => "%{DATE:date} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} %{GREEDYDATA:logMessage}"}
}
}
I know this is quite an old question, but I just had the same query and TIME seems to work now.
Using https://grokdebug.herokuapp.com/ with 23:59:57 as input and %{TIME:timestamp} as filter gives me the original plus separate fields for HOUR, MINUTE and SECOND