grok


Using multiple grok pattern to assign value to 1 field


My question is regarding how to use Grok pattern.
I am aware that a given existing Grok pattern, I can use the following syntax to assign the values to a field:
%{DATESTAMP_RFC822:timestamp}
I also know that I can create my own custom pattern and use it with patternsDir field.
My question is if I can use the combination of Grok pattern to parse and assign the value to a field?
For example, here is the 'definition' of the DATESTAMP_RFC822 pattern:
DATESTAMP_RFC822 = %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}
If I don't want %{TZ} as a part of the pattern, how do I use the rest of the pattern to parse and assign timestamp? Something similar to ...
?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}
I know the above doesn't work. But I hope it is clear what I want to achieve.
Just found the answer. My last attempt was actually correct.
?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}
I just needed to add opening and closing '(' to make it work.
(?<timestamp>%{MONTH}/%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}))

Related Links

Grok Learning - 'Halve This'
logstash grok patterns assistance
Using multiple grok pattern to assign value to 1 field
Graylog cannot look a field as numeric
Logstatsh help needed to write grok filter
How to have timestamp as the only delimiter in Grok Logstach?
Error compiling Grok
logstash grok filter annoyance

Categories

HOME
phpword
ggplot2
powerpoint
apache-spark-mllib
apiblueprint
solaris
package
error-handling
nuget
3d-reconstruction
onclick
vsm
android-json
spin
syntaxnet
dkim
vimdiff
startup
automatic-ref-counting
3nf
bitnami
azure-iot-hub
scsi
mathprog
identity-management
swagger-2.0
enterprise-miner
boost-icl
replication
selinux
guzzle
pagespeed
easeljs
mongoid6
beta
dapper-extensions
expressionengine3
maze
underscore.js
angular-translate
spotipy
ceylon
mql
constexpr
panoramas
livelink
deltaspike
quickfixj
playstation-portable
twos-complement
keras-layer
batching
zoomify
nohup
trigonometry
xmldocument
vaadin-elements
bluez
context-sensitive-grammar
backbone-collections
reshape
flyout
polyline
slackware
omxplayer
preprocessor
google-cloud-console
async.js
adafruit
nikeplus-api
hclust
spreadjs
database-relations
toast
intel-c++
.bash-profile
rpart
baasbox
botan
aspectj-maven-plugin
uvc
public-html
dbaccess
webmatrix-3
human-computer-interface
tweenlite
decoupling
jeromq
inappsettingskit
onload-event
panda3d
frameworkelementfactory
correlated-subquery
promotion-code
massive
squishit
tabpanel
blender-2.49
murmurhash
filesystemobject

Resources

Database Users
RDBMS discuss
Database Dev&Adm
javascript
java
csharp
php
android
javascript
java
csharp
php
python
android
jquery
ruby
ios
html
Mobile App
Mobile App
Mobile App