That's what I get for typing it out...thank you for catching that!
Unfortunately, even after correcting for the incorrect milliseconds value,
it's still not replacing timestamp value. I sent the parsed date to a new
field (in this case, "log_timestamp") to verify that the output data was in
the correct format, which it is now, but it still won't replace the
timestamp field.
Message sample with "log_timestamp" field:
WO_CS_RAS_CS_MESSAGE
2017-02-08 11:00:34,980 WARN [Task 'ATLANTA-FS' FS timer.1]
FriendshipTasksServiceImpl = Could not obtain task info for: 2c95ac8e-57e3-
91b2-0158-495b880b24e8REQUEST FAILED ==> STATUS CODE: 404, RESPONSE BODY:
WO_LogLevel
WARN
WO_Log_Source
RAS-CS
WO_Message
Could not obtain task info for: 2c95ac8e-57e3-91b2-0158-495b880b24e8REQUEST
FAILED ==> STATUS CODE: 404, RESPONSE BODY:
WO_Process
Task 'ATLANTA-FS' FS timer.1
WO_SubProcess
FriendshipTasksServiceImpl
WO_Timestamp
2017-02-08 11:00:34,980
facility
filebeat
file
d:\centralserver\ras-server\log\ras_cs_WO-ATL-CS.log
input_type
log
log_timestamp
2017-02-08T11:00:34.980Z
message
2017-02-08 11:00:34,980 WARN [Task 'ATLANTA-FS' FS timer.1]
FriendshipTasksServiceImpl = Could not obtain task info for: 2c95ac8e-57e3-
91b2-0158-495b880b24e8REQUEST FAILED ==> STATUS CODE: 404, RESPONSE BODY:
name
WO-ATL-CS
offset
2372156
source
WO-ATL-CS
timestamp
2017-02-08T16:00:35.864Z
type
log
Corrected rule:
rule "WO-CS-RAS"
when
contains(to_string($message.file),"centralserver\\ras-server\\log\\ras_cs_")
then
set_field("WO_Log_Source","RAS-CS");
let matches = grok(pattern: "%{WO_CS_RAS_CS_MESSAGE}", value:
to_string($message.message));
set_fields(matches);
let date = parse_date(to_string($message.WO_Timestamp), "YYYY-MM-dd
HH:mm:ss,SSS");
set_field("timestamp", date);
route_to_stream("WideOrbit Logs");
end
Thanks!
Cheers,
Al
On Wednesday, February 8, 2017 at 10:55:03 AM UTC-5, Jochen Schalanda wrote:
>
> Hi Al,
>
> On Wednesday, 8 February 2017 15:46:07 UTC+1, Al Reynolds wrote:
>>
>> WO_Timestamp
>> 2017-02-08 09:42:30,056
>>
>> Those messages are with the date parsing disabled. I'm attempting to
>> replace "timestamp" with the "WO_Timestamp" field.
>>
>
> The string in WO_Timestamp doesn't match the pattern "YYYY-MM-dd
> HH:mm:ss,sss" used in parse_date(). See
> http://www.joda.org/joda-time/apidocs/org/joda/time/format/DateTimeFormat.html
>
> for details.
>
> Hint: 's' and 'S' are not the same thing.
>
>
> Side note: The full_message field is empty on my filebeat inputs--is that
>> expected behavior?
>>
>
> Yes, that's expected.
>
> What would you expect to find in the (optional) full_message field?
>
> Cheers,
> Jochen
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/39dbaa3e-75d5-40c5-99f7-f4f2967ce134%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
