Apply filters

serjio · April 6, 2023, 12:48pm

good afternoon. Recently I started to get acquainted with ELK and aot what is my problem:
I use such a filter


filter {
 if [type] == "syslog" {
    grok {
        match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }
  date {
        match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
  }
}

I need to filter the log not by the time it was shipped to ELK, but by the actual event of the log entry. How can I achieve this?

serjio · April 12, 2023, 6:32am

does no one really know how to do this?

Badger · April 12, 2023, 3:29pm

You are extracting the timestamp from the log message into [syslog_timestamp], but using the date filter to parse a different field. Parse the [syslog_timestamp].

system · May 10, 2023, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date parsing logstash Logstash	5	183	January 30, 2024
Logstash grok Logstash	5	294	September 7, 2021
@timestamp not updated using date filter Logstash	3	483	October 3, 2019
Grok filter multiple match Logstash	4	18143	October 31, 2019
Syslog filter issue with timestamp Logstash	13	1844	January 3, 2022

Apply filters

Related Topics