Logstash parse date/time

Question

I have the following I'm trying to parse with GROK:

Hello|STATSTIME=20-AUG-15 12.20.03.051000 PM|World

I can parse the first bunch of it with GROK like so:

match => ["message","%{WORD:FW}\|STATSTIME=%{MONTHDAY:MDAY}-%{WORD:MON}-%{INT:YY} %{INT:HH}"]

Anything further than that gives me an error. I can't figure out how to quote the : character, : does not work and %{TIME:time} does not work. I'd like to be able to get the whole thing as a timestamp, but can't get it broken up. Any ideas?

Your example uses "." (period) to separate hour/min/sec, but your narrative talks about ":" (colon). Which is it? — Alain Collins, Sep 09 '15 at 00:52

score 0 · Answer 1 · answered Oct 31 '15 at 05:55

You can use this to debug grok expressions

The time format is as shown here

To parse 12.20.03.051000

%{INT:hour}.%{INT:min}.%{INT:sec}.%{INT:ms}

Output will be something like this

{
"hour": [
      [
      "12"
      ]
 ],
"min": [
     [
      "20"
     ]
 ],
"sec": [
    [
     "03"
    ]
],
"ms": [
    [
   "051000"
    ]
 ]
}

Logstash parse date/time

1 Answers1