Apply filters

serjio · April 6, 2023, 12:48pm

good afternoon. Recently I started to get acquainted with ELK and aot what is my problem:
I use such a filter


filter {
 if [type] == "syslog" {
    grok {
        match => { "message" => "<%{POSINT:syslog_pri}>%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{GREEDYDATA:syslog_message}" }
    }
  }
  date {
        match => [ "timestamp" , "dd/MMM/YYYY:HH:mm:ss Z" ]
  }
}

I need to filter the log not by the time it was shipped to ELK, but by the actual event of the log entry. How can I achieve this?

serjio · April 12, 2023, 6:32am

does no one really know how to do this?

Badger · April 12, 2023, 3:29pm

You are extracting the timestamp from the log message into [syslog_timestamp], but using the date filter to parse a different field. Parse the [syslog_timestamp].

system · May 10, 2023, 3:29pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter not working as expected Logstash	13	3545	June 8, 2017
Date parsing logstash Logstash	5	183	January 30, 2024
How to process old logs? Logstash	1	782	November 26, 2018
Logstash grok Logstash	5	294	September 7, 2021
Filter Multiple Patterns Logstash	4	1009	September 22, 2017

Apply filters

Related topics