Created
March 13, 2012 20:07
-
-
Save tolland/2031228 to your computer and use it in GitHub Desktop.
recombining the timezone to bare timestamps
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| input { | |
| file { | |
| type => "syslog" | |
| path => [ "/var/log/messages", "/var/log/auth.log" ] | |
| add_field => [ "offset", "-0800" ] | |
| } | |
| } | |
| filter { | |
| grok { | |
| type => "syslog" | |
| pattern => "%{SYSLOGLINE}" | |
| add_field => [ "timestamp_offset","%{timestamp} %{offset}" ] | |
| } | |
| ## docs say first match wins... so this should work..... | |
| date { | |
| type => "syslog" | |
| timestamp => "MMM d HH:mm:ss Z" ###<----these are written over | |
| timestamp => "MMM dd HH:mm:ss Z" ###<----these are written over | |
| timestamp => "MMM d HH:mm:ss" | |
| timestamp => "MMM dd HH:mm:ss" | |
| timestamp8601 => ISO8601 # Some syslogs use ISO8601 time format | |
| } | |
| ## but no, have to have more specific matches at the end | |
| date { | |
| type => "syslog" | |
| timestamp => "MMM d HH:mm:ss" | |
| timestamp => "MMM dd HH:mm:ss" | |
| timestamp => "MMM d HH:mm:ss Z" | |
| timestamp => "MMM dd HH:mm:ss Z" ###<----this way for the win..! | |
| timestamp8601 => ISO8601 # Some syslogs use ISO8601 time format | |
| } | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment