3
responses

Hi all

I'm trying to forward logs to my Graylog server using nxlog, and it's working fine, except for one minor problem which I've been unable to fix:

The date/time format in the log is as follows:

2016/03/17    07:06:27 AM     Message

I have been able to extract the date into $1 and time into $2 with regex (and message into $3) without an issue. However, I'm unable to parse the combination of the two as a date and get it into 24H format using parsedate or strptime.

Any ideas how I can populate $EventTime with the date + 24H time format from the above? Everything I try seems to result in the field being undefined.

Thanks

AskedMarch 21, 2016 - 11:40am

Answer (1)

Have you tried strptime() ? This can handle the AM/PM format.

Comments (2)

  • Ascendo's picture

    Initially I was trying to use that but it appears that I was using %H for hours instead of %I. This is now working perfectly:

         $TestEventTime = strptime($1 + ' ' + $2, '%Y/%m/%d %I:%M:%S %p'); 

    However, I now have another problem. If I use $EventTime instead of $TestEventTime, the field does not make it through to Graylog. I'm not sure nxlog is using this variable correctly for the timestamp. Any ideas?

  • Ascendo's picture

    In fact it's working as it should. My test data was outside my search window (since I have just been copying/pasting the same lines to get test data).