I am having trouble on getting the filter date pattern match with my log file date pattern.
I want the date appears as EventDateTime attribute and date would be removed inside message field.
Anyone can help me, having trouble with setting up date with am/pm format.
Thanks.
my log file date format : 9/6/2016 3:46:01 AM
Below is my filter inside my config file
filter { grok { match => { "message" => "^(?<EventDateTime>%{MONTHNUM}/%{MONTHDAY}/%{YEAR} %{TIME}(?:AM|am|PM|pm))%{GREEDYDATA}" } } date { match => ["EventDateTime", "dd/MM/YYYY hh:mm:ss a"] #timezone => "UTC" #remove_field => ["EventDateTime"] } }
Error Message
Pipeline main started
←[33mFailed parsing date from field {:field=>"EventDateTime", :value=>"9/6/2016
3:46:01", :exception=>"Invalid format: "9/6/2016 3:46:01" is too short", :conf
ig_parsers=>"dd/MM/YYYY hh:mm:ssa", :config_locale=>"default=en_US", :level=>:wa
rn}←[0m
{ "message" => "9/6/2016 3:49:01 PM:Sending : FREE\r", "@version" => "1", "@timestamp" => "2016-09-06T09:43:52.052Z", "path" => "c:/logstash-tutorial/test1.trc", "host" => "test1", "tags" => [ [0] "_grokparsefailure" ] }