NLS 2.1.7 - filter timestamp in microseconds

[stooge]

My input:
28500 2020-06-08T19:31:50.739496 lab-vm2 f0bcc1e028f2[23452]: InstanceInfo: bos.tcp-proxy.Local.0

My filter:
if [program] == "import_raw" {
grok {
match => [ 'message', '^%{NUMBER:ser} %{NOTSPACE:timestamp} *%{NOTSPACE:node} *%{GREEDYDATA:log_message}' ]
}
mutate {
replace => [ 'type', 'test_log' ]
}
}

And ingest using:
python shipper.py -f '/tmp/test.logs' program:import_raw | nc 127.0.0.1 2057

This works, however I would like to parse the timestamp ("2020-06-08T19:31:50.739496" in the example above), including the microseconds. I read somewhere that I could convert to Unix epoch time and just use %{NUMBER:timestamp} and the conversion would happen. I tried doing that - didn't get recognized as a timestamp. I was unable to find ms/us precision in the grok docs. I can convert this to any format prior to ingesting. Is this even possible? Thanks in advance

[scottwilkerson]

I believe you can use the mutate example in the following article to chop off that last couple digits of the timestamp

Code: Select all

      mutate {
              gsub => ["timestamp","\d\d\d$",""]
      }

https://discuss.elastic.co/t/how-to-rea ... ssss/64792

[stooge]

Thanks. I got milliseconds working

[scottwilkerson]

Thanks. I got milliseconds working

Great!

Locking thread