Parsing timestamps

Talking about the timestamps on the lines we pushed into Zabbix, the date and time in the file didn't match the date and time displayed in Zabbix. Zabbix marked the entries with the time it collected them. This is fine in most cases when we're doing constant monitoring; content is checked every second or so, gathered, timestamped, and pushed to the server. When parsing some older data, the timestamps can be way off, though. Zabbix does offer a way to parse timestamps out of the log entries.

Let's use our very first log file monitoring item for this.

Navigate to Configuration | Hosts, click on Items next to A test host, and click on First logfile in the Name column. Notice the Log time format field; that's what we'll use now. It allows us to use special characters to extract the date and time. The supported characters are as follows:

  • y: Year
  • M: Month
  • d: Day
  • h: Hour
  • m: Minute
  • s: Second

In our test log files, we used the time format like this:

2018-12-13 13:01:03

The time format string to parse out date and time would look like this:

yyyy-MM-dd hh:mm:ss

Note that only the supported characters matter; the other ones are just ignored and can be anything. For example, the following would work exactly the same:

yyyyPMMPddPhhPmmPss

You can choose any characters outside of the special ones. Which ones would be best? Well, it's probably best to aim for readability. Enter one of the examples here in the Log time format field:

When specifying the log time format, all date and time components must be present; for example, it's not possible to extract the time if seconds are missing.

When done, click on the Update button at the bottom. Allow for a few minutes to pass, then proceed with adding entries to the monitored file. Choose the date and time during the last hour for your current time and run on A test host:

$ echo "2018-12-01 16:40:13 a timestamped log entry" >> /tmp/zabbix_logmon/logfile1

Now, check the history for the First logfile item in the latest data page:

There's one difference from the previous cases. The Local time column is populated now, and it contains the time we specified in our log line. The Timestamp column still holds the time when Zabbix collected the line.

Note that only numeric data is supported for date and time extraction. The standard Syslog format uses short textual month names such as Jan, Feb, and so on; such a date/time format isn't supported for extraction at this time.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.142.119.241