Logstash: using date / time in file name as imported field

Question

Logstash: using date / time in file name as imported field

I have a bunch of log files called "XXXXXX_XX_yymmdd_hh: mm: ss.txt". I need to specify the date and time (separate fields) from the file name in the fields that are added to Logstash.

Can anyone help?

thanks

0

grok elasticsearch logstash kibana logstash-grok

AMC Feb 02 '15 at 11:44

source share

1 answer

Magnus bäck · Answer 1 · 2015-02-02T14:07:20+0000

Use grok filter to extract date and time:

filter { grok { match => [ "path", "^%{GREEDYDATA}/[^/]+_%{INT:date}_%{TIME:time}\.txt$" ] } }

Depending on what happens instead of XXXXXX_XX, you might prefer a more strict expression. In addition, GREEDYDATA is not very effective. This can lead to increased performance:

 filter { grok { match => [ "path", "^(?:/[^/]+)+/[^/]+_%{INT:date}_%{TIME:time}\.txt$" ] } }

Logstash: using date / time in file name as imported field

More articles: