Grok pattern for date

Question

I have date in my logs as :

08 Jul 2016 08:58:07,258 ...

Currently I am using :

%{MONTHDAY}[T ]%{MONTH}[T ]%{YEAR}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})[T ]...

to parse it.

How can I convert this into date type. I know how to use 'date' to do so when we have an existing grok pattern but how to do that in my case?

baudsp · Accepted Answer

You can have a custom pattern:

(?%{MONTHDAY}[T ]%{MONTH}[T ]%{YEAR}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND}[T ])

With this, you'll have a field log_timestamp you can give to the date filter.

Or you can use the ruby filter to concatenate all the fields in one to give to the date filter.

Answers (1)