ES requires that the timstamp be a single field, and in a specific format (or
one of a few formats).
I'd have to dig into the ES documentation to see what it requires.
David Lang
On Wed, 16 Nov 2016, Leandro do Nascimento Bernardo wrote:
Hi guys, I persist in this same thread 😞 now have this scenario.
My parser with lognormalizer is okay ... but when I redirect to the
elasticsearch the timestamp is not recognized.
I have this data(exim log):
2016-11-16 08:58:00
my parser:%day: date-iso% %time: word%
in this case I have two variables to a timestamp.
I need that two variables are just a variable to provide for elasticsearch
then recognize as a real timestamp.
With my scenario ES not recognized my timestamp.
~Regards
On Fri, 4 Nov 2016 at 07:32 Leandro do Nascimento Bernardo <
[email protected]> wrote:
Thanks again Matthew!
~Regards
Leandro Bernardo
On Thu, 3 Nov 2016 at 13:12 matthew.gaetano <[email protected]>
wrote:
You can find all the documentation @
http://www.liblognorm.com/files/manual/index.html
<http://www.liblognorm.com/files/manual/index.html>
when using "char-to" field type you need to set the extra data parameter so
it knows what character to stop at. In your example it would be
%hour:char-to:-% where "-" represents the character after the hour.
remember
that you will still need to account for "-" as a literal afterwards.
That said you could also just use the field type "date-iso" to capture your
date string, depending on what your trying to do.
~Regards
Matthew Gaetano
--
View this message in context:
http://rsyslog-users.1305293.n2.nabble.com/Rsyslog-to-JSON-parser-tp7591413p7591440.html
Sent from the rsyslog-users mailing list archive at Nabble.com.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad
of sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you
DON'T LIKE THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE
THAT.
