Using multiple grok pattern to assign value to 1 field

Question

My question is regarding how to use Grok pattern.

I am aware that a given existing Grok pattern, I can use the following syntax to assign the values to a field:

%{DATESTAMP_RFC822:timestamp}

I also know that I can create my own custom pattern and use it with patternsDir field.

My question is if I can use the combination of Grok pattern to parse and assign the value to a field?

For example, here is the 'definition' of the DATESTAMP_RFC822 pattern:

DATESTAMP_RFC822 = %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ}

If I don't want %{TZ} as a part of the pattern, how do I use the rest of the pattern to parse and assign timestamp? Something similar to ...

?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}

I know the above doesn't work. But I hope it is clear what I want to achieve.

Answer 1

Just found the answer. My last attempt was actually correct.

?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME}

I just needed to add opening and closing '(' to make it work.

(?<timestamp>%{MONTH}/%{MONTHDAY} %{HOUR}:?%{MINUTE}(?::?%{SECOND}))