i am quite new to this and would need some help understanding the Grok Patterns. I have tho following:
date=2020-06-30 time=09:21:14 devname="600E" devid="FG6H0E5819904479" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1593501674337461223 tz="+0200"
i want to create an Extractor using Grok Pattern.
I started like this (I want year,month,day in separated fields):
which worked fine. How do I proceed from there i tried many of the time patten but none seem to work, or I (most likely use them wrong).
Maybe a kind soul can give me a push by highlighting how i can format the first 3-4 fields, I would highly appreciate it .
Don’t try to extract by one one, best way is to create extractor with key-value. This way, it extract all fields with key=value to separate fields.
By the way, fortigate uses 2 separate field to setup date and time, you can use this pipeline rule to concat them, and use it as timestamp:
has_field("devname") AND has_field("date") AND has_field("time")
let build_message_0 = concat(to_string($message.date), " ");
let build_message_1 = concat(build_message_0, to_string($message.time));
let new_time = parse_date(value: build_message_1, pattern:"yyyy-MM-dd HH:mm:ss", timezone:"Europe/Bratislava");
Don’t forget to check processing order, so pipeline is after extractors in list
I can’t thank you enough. Works like a charm and is exactly what I needed.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.