2 different time

Hello guys!
Please, I need your advise.

From one client server to logstash comming 2 different logs with different time template:

1. [2021-02-24 00:00:06,335] [[ACTIVE] ExecuteThread: '121' for queue: 'weblogic.kernel.Default (self-tuning)'] ERROR EntityDataSourceRepository:readEntities:130

2. 2021-01-27 10:22:04 0.488 GET 200 /api/1.0/info/prepaidAddBalance?ctn=7768741498&hash

Because elastic can't take different timestamps at the same time, I cut milliceconds in first timepattern, but it doesn't work, nothing goes to elastic.

My current filter is:

filter {

if "/uss/servlet/ivrRequest" in [message] {
grok { match => {"message" => "(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY})\t[\t]%{WORD:method}[\t]%{URIPATH:request_type}[?]BNumber=%{NUMBER:bnumber}&ANumber=%{NUMBER:msisdn}[\t]%{NUMBER:response_code}[\t]%{NUMBER:response_time}"}}

mutate {
add_field => {"log_time" => "%{date} %{hms}"}
}
date { match => [ "log_time", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Almaty"
target => "@timestamp"
}
mutate {strip => ["log_time"]
remove_field => ["date", "hms"]
}

}

else if "/uss/servlet/ussdHttpServlet.ru" in [message] or "/uss/servlet/ussdHttpServlet.kz" in [message] {
grok { match => {"message" => "(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY})\t[\t]%{WORD:method}[\t]%{URIPATH:request_type}[?]msisdn=%{NUMBER:msisdn}&ussd=%{NUMBER:ussd}[\t]%{NUMBER:response_code}[\t]%{NUMBER:response_time}"}}
mutate {
add_field => {"log_time" => "%{date} %{hms}"}
}
date { match => [ "log_time", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Almaty"
target => "@timestamp"
}
mutate {strip => ["log_time"]
remove_field => ["date", "hms"]
}
}

if "ER000" in [message] or "ER001" in [message] or "ER002" in [message] or "ER003" in [message] or "ER004" in [message] or "ER004" in [message] or "TUX" in [message] or "ER034" in [message] {
grok { match => {"message" => "[%{TIMESTAMP_ISO8601:error_log_time}]%{GREEDYDATA} %{LOGLEVEL:log-level}%{GREEDYDATA} \NAPIERROR %{WORD:action}%{GREEDYDATA} [%{WORD:response_code}%{GREEDYDATA}\BAN=[%{NUMBER:ban}%{GREEDYDATA}\SUBSCRIBER_NO=[%{NUMBER:subscriber_no}%{GREEDYDATA}\SOC=[%{WORD:soc}%{GREEDYDATA}"}}

mutate { gsub => ["error_log_time", ",\d{3}$", ""]}

date { match => [ "error_log_time", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Almaty"
target => "@timestamp"
}
}

else if "! service is too slow" in [message] {
grok { match => {"message" => "[%{TIMESTAMP_ISO8601:error_log_time}]%{GREEDYDATA} %{LOGLEVEL:log-level}%{GREEDYDATA}- %{GREEDYDATA:response_code}"}}

mutate { gsub => ["error_log_time", ",\d{3}$", ""]}

date { match => [ "error_log_time", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Almaty"
target => "@timestamp"
}
}

else if "! Tuxedo service is too slow" in [message] {
grok { match => {"message" => "[%{TIMESTAMP_ISO8601:error_log_time}]%{GREEDYDATA} %{LOGLEVEL:log-level}%{GREEDYDATA}- %{GREEDYDATA:response_code}: com%{GREEDYDATA}"}}

mutate { gsub => ["error_log_time", ",\d{3}$", ""]}

date { match => [ "error_log_time", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Almaty"
target => "@timestamp"
}
}

else {
grok { match => {"message" => "(?%{YEAR}-%{MONTHNUM}-%{MONTHDAY})\t[\t]%{NUMBER:response_time}[\t]%{WORD:method}[\t]%{NUMBER:response_code}[\t]%{URIPATH:request_type}[?]ctn=%{NUMBER:msisdn}"}}

mutate {
add_field => {"log_time" => "%{date} %{hms}"}
}
date { match => [ "log_time", "YYYY-MM-dd HH:mm:ss" ]
timezone => "Asia/Almaty"
target => "@timestamp"
}
mutate {strip => ["log_time"]
remove_field => ["date", "hms"]
}
}

if "_grokparsefailure" in [tags] {
drop {}
}

}

You grok patterns cannot be compiled. Please edit your post, select the configuration, and click on </> in the toolbar above the edit panel. That will change the formatting from

grok { match => {"message" => "[%{TIMESTAMP_ISO8601:error_log_time}]%

to

grok { match => {"message" => "[%{TIMESTAMP_ISO8601:error_log_time}]%

and prevent characters from the pattern being interpreted as formatting.

filter {

 if "/uss/servlet/ivrRequest" in [message] {
grok { match => {"message" => "(?<date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY})[\t](?<hms>%{HOUR}:%{MINUTE}:%{SECOND})[\t]%{WORD:method}[\t]%{URIPATH:request_type}[\?]BNumber=%{NUMBER:bnumber}\&amp;ANumber=%{NUMBER:msisdn}[\t]%{NUMBER:response_code}[\t]%{NUMBER:response_time}"}}

mutate {
       add_field => {"log_time" => "%{date} %{hms}"}
        }
date { match => [ "log_time", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Almaty"
        target => "@timestamp"
  }
mutate {strip => ["log_time"]
      remove_field => ["date", "hms"]
        }

}

else if "/uss/servlet/ussdHttpServlet.ru" in [message] or "/uss/servlet/ussdHttpServlet.kz" in [message] {
grok { match => {"message" => "(?<date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY})[\t](?<hms>%{HOUR}:%{MINUTE}:%{SECOND})[\t]%{WORD:method}[\t]%{URIPATH:request_type}[\?]msisdn=%{NUMBER:msisdn}\&amp;ussd=%{NUMBER:ussd}[\t]%{NUMBER:response_code}[\t]%{NUMBER:response_time}"}}
mutate {
       add_field => {"log_time" => "%{date} %{hms}"}
        }
date { match => [ "log_time", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Almaty"
        target => "@timestamp"
  }
mutate {strip => ["log_time"]
      remove_field => ["date", "hms"]
        }
}


if "ER000" in [message] or "ER001" in [message] or "ER002" in [message] or "ER003" in [message] or "ER004" in [message] or "ER004" in [message] or "TUX" in [message] or "ER034" in [message] {
grok { match => {"message" => "\[%{TIMESTAMP_ISO8601:error_log_time}\]%{GREEDYDATA} %{LOGLEVEL:log-level}%{GREEDYDATA} \NAPIERROR %{WORD:action}%{GREEDYDATA} \[%{WORD:response_code}%{GREEDYDATA}\BAN=\[%{NUMBER:ban}%{GREEDYDATA}\SUBSCRIBER_NO=\[%{NUMBER:subscriber_no}%{GREEDYDATA}\SOC=\[%{WORD:soc}%{GREEDYDATA}"}}

mutate { gsub => ["error_log_time", "\,\d{3}$", ""]}

date { match => [ "error_log_time", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Almaty"
        target => "@timestamp"
}
}


else if "! service is too slow" in [message] {
grok { match => {"message" => "\[%{TIMESTAMP_ISO8601:error_log_time}\]%{GREEDYDATA} %{LOGLEVEL:log-level}%{GREEDYDATA}\- %{GREEDYDATA:response_code}"}}

mutate { gsub => ["error_log_time", "\,\d{3}$", ""]}

date { match => [ "error_log_time", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Almaty"
        target => "@timestamp"
}
}


else if "! Tuxedo service is too slow" in [message] {
grok { match => {"message" => "\[%{TIMESTAMP_ISO8601:error_log_time}\]%{GREEDYDATA} %{LOGLEVEL:log-level}%{GREEDYDATA}\- %{GREEDYDATA:response_code}\: com%{GREEDYDATA}"}}

mutate { gsub => ["error_log_time", "\,\d{3}$", ""]}

date { match => [ "error_log_time", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Almaty"
        target => "@timestamp"
}
}


else {
grok { match => {"message" => "(?<date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY})[\t](?<hms>%{HOUR}:%{MINUTE}:%{SECOND})[\t]%{NUMBER:response_time}[\t]%{WORD:method}[\t]%{NUMBER:response_code}[\t]%{URIPATH:request_type}[\?]ctn=%{NUMBER:msisdn}"}}

mutate {
       add_field => {"log_time" => "%{date} %{hms}"}
        }
date { match => [ "log_time", "YYYY-MM-dd HH:mm:ss" ]
        timezone => "Asia/Almaty"
        target => "@timestamp"
  }
mutate {strip => ["log_time"]
      remove_field => ["date", "hms"]
        }
}

if "_grokparsefailure" in [tags] {
drop {}
}

}

Thank you I changed.

For the first, none of these conditionals match

if "/uss/servlet/ivrRequest" in [message] {

} else if "/uss/servlet/ussdHttpServlet.ru" in [message] or "/uss/servlet/ussdHttpServlet.kz" in [message] {

if "ER000" in [message] or "ER001" in [message] or "ER002" in [message] or "ER003" in [message] or "ER004" in [message] or "ER004" in [message] or "TUX" in [message] or "ER034" in [message] {

} else if "! service is too slow" in [message] {

} else if "! Tuxedo service is too slow" in [message] {

So it goes through the last grok pattern

grok { match => {"message" => "(?<date>%{YEAR}-%{MONTHNUM}-%{MONTHDAY})[\t](?<hms>%{HOUR}:%{MINUTE}:%{SECOND})[\t]%{NUMBER:response_time}[\t]%{WORD:method}[\t]%{NUMBER:response_code}[\t]%{URIPATH:request_type}[\?]ctn=%{NUMBER:msisdn}"}}

which obviously does not match. Since you have

if "_grokparsefailure" in [tags] { drop {} }

at the end of your filter the event will be dropped.

For the second, I suspect the problem is that your grok pattern requires the fields to be tab separated. If you change [\t] to \s+ then I would expect you to get

       "method" => "GET",
     "log_time" => "2021-01-27 10:22:04",
"response_code" => "200",
       "msisdn" => "7768741498",
 "request_type" => "/api/1.0/info/prepaidAddBalance",
"response_time" => "0.488"

etc.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.