0

I have a field that can look like this: 23:59:47

I tried using %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} as a pattern, but that gives me the generic grokparsefailure.

{TIME:time} works well, but I want hour, minute and second.

filter {
  grok {
    match => {"message" => "%{DATE:date} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} %{GREEDYDATA:logMessage}"}
  }
}
baudsp
  • 4,076
  • 1
  • 17
  • 35
Christian Neverdal
  • 5,655
  • 6
  • 38
  • 93
  • Can you show us the full grok filter please ? – vdolez Sep 24 '15 at 09:41
  • Yes, I most certainly can do that. – Christian Neverdal Sep 24 '15 at 09:42
  • 1
    Tried 23:59:47 and %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} at https://grokdebug.herokuapp.com/ and it works. Can you put in the complete line with the date that you are trying to parse – Yogesh_D Sep 24 '15 at 09:47
  • Using http://grokdebug.herokuapp.com/ with 23:59:57 as input and %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second} as filter. I do retrieve each field separatly. But if I use your complete filter, then there's no match. Can you as well provide a full line as input please ? – vdolez Sep 24 '15 at 09:47
  • The problem may occur because you're trying to parse a date AND a time and I think the time may be included in the first date field. – vdolez Sep 24 '15 at 09:51

1 Answers1

2

I know this is quite an old question, but I just had the same query and TIME seems to work now.

Using https://grokdebug.herokuapp.com/ with 23:59:57 as input and %{TIME:timestamp} as filter gives me the original plus separate fields for HOUR, MINUTE and SECOND

Andrew Cruickshank
  • 91
  • 3