pkaramol
April 2, 2018, 7:47am
1
I am parsing some syslog logs as follows:
grok {
match => { 'message' => '%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}' }
}
The actual logs have a local_time field as follows (e.g.):
local_time="21/Jun/2015:23:45:39 +0300"
I want the @timestamp field of the document to take the value of the above field.
How can this be achieved?
edit : the following is still giving a @timestamp with value equal to the current time, not the value of the local_time field.
date {
target => "@timestamp"
match => [ "local_time", "dd/MMM/YYYY:HH:MM:ss Z" ]
tag_on_failure => ["no_date_match"]
}
So you're getting a no_date_match tag in the resulting documents? Have you looked in the Logstash log for clues? The date filter logs details about any parse errors.
pkaramol
April 2, 2018, 9:59am
3
Actually I am using the docker ELK stack and it doesn't output any parsing errors...
Any idea how can I further debug this?
Actually I am using the docker ELK stack and it doesn't output any parsing errors...
Not true. It's always possible to read the Logstash logs. What Docker image are you using and how are you starting the container?
pkaramol
April 2, 2018, 10:50am
5
I am using this project: https://github.com/deviantony/docker-elk
And always starting it with docker-compose rm -f && docker-compose up
pkaramol
April 2, 2018, 2:45pm
6
The mapping was failing because the minutes need to be in lowercase 'm'...
I was using capital 'M'...
The topic can be closed I guess...
system
April 30, 2018, 2:45pm
7
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.