Cannot parse logs with date filter

Hi;

i am trying to parse my logs to fields but as you guess i failed

Here is a sample of my logs.

[INFO ] 23.08.2017 20:28:32.941 in [pool-2-thread-20] |com.defne.rbt.eventapi.client.kvp.EventJob:eventCall:239| - Response returned for Call event: Success

Firstly, i tried to use just date filter such that

filter{
date {
match => ["message", "dd.MM.yyyy HH:mm:ss.SSS"]
}

}

However it could not find the date in the message. Then i tried to parse it with grok filter but i failed there too. I could not create fields to put it in the date filter. Indeed,i probably made mistakes in grok. How can i parse it. How can i get the correct timestamp. Need help!...

Thank you.

First use a grok filter to extract only the timestamp into a separate field, then feed that field to the date filter.

The grok constructor web site can help you create a grok expression for your log.

I used grok constructor and get seperated fields. You mentioned that i should only get timestamp but cannot do that. Instead, i get random fields. Grok constructor says it is matched. But when i use it at logstash, i get _grokparsefailure.

Here are both grok and date filters.

filter{
grok{
match => {"message" => "[%{LOGLEVEL:level}%{SPACE}] (?%{MONTHDAY}.%{MONTHNUM}.%{YEAR} %{TIME}) %{WORD:in} [%{WORD:thread}] |%{DATA:host}| - %{DATA:message}"}
}
date{
match => ["date", "dd.MM.yyyy HH:mm:ss.SSS"]
}
}

and grok constructor results:

MATCHED
in in
host com.defne.rbt.eventapi.client.kvp.EventJob:eventCall:239
thread pool-2-thread-20
date 23.08.2017·20:28:32.941
message
level INFO
after match: Response returned for Call event: Success

So, didnt work. Where do i make mistakes?

Thanks for reply...

Oh my bad... I changed {WORD:thread} to {DATA:thread} and {DATA:message} to {GREEDYDATA:message} and boooom... it worked!

Now, i just wonder how can i get only timestamp in the log files?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.