Grok patterns for timestamp

Question

Is there a grok pattern to extract the timestamp and date out of this string.

21:11:51:569/UTC(11/5/2015)

?

I am able to use the grok patterns DATE_US and TIME separately. But not together (ie)

The below patterns work.

%{TIME:time} -- 21:11:51:569/UTC
%{DATE_US:date} -- (11/5/2015)

However the complete string 21:11:51:569/UTC(11/5/2015) is not evaluating with %{TIME:time}|%{DATE_US:date}

score 9 · Accepted Answer · answered Nov 09 '15 at 20:48

I think you asked about 6 questions; we'll see if I get them all...

There is no build-in pattern that will match your datetime format.
%{TIME} will match your "21:11:51:569" (though I can't imagine wanting "51:569" for "seconds").
%{TIME} will not match your timezone info.
%{DATE_US} will match your "11/5/2015".
Saying "foo|bar" in a regular expression is intended to match "foo" OR "bar". Your pattern of "%{TIME}|%{DATE}" matches the time, then stops.
A pattern like this will match both pieces: %{TIME}/UTC\(%{DATE_US}\)
Use can use the %{TZ} pattern to match the timezone.

So, with all that, try:

%{TIME:time}/%{TZ:tz}\(%{DATE_US:date}\)

Thanks a lot. That helped me. – Bharath Nov 09 '15 at 21:34 — Bharath, Nov 09 '15 at 21:34

1 Answers1