Date filter not working in Logstash

RileyShu · August 15, 2016, 10:54pm

input {

file {
    path => "C:\SystemErrors.log"
    start_position => beginning 
    ignore_older => 0 
    type => "SystemErrors"
}

}

filter {

date {
	locale => "en"
	timezone => "America/Los_Angeles"
	match => ["\r\nTimestamp", " YYYY-MM-dd:HH:mm:ss"]
	target => "@timestamp"
	add_tag => [ "date" ]
}

multiline {
    pattern => "^*#########"
    negate => true
    what => "previous"
}

kv {
	field_split => "*"
	value_split => " : "
	remove_field => ["host","path", "@version", "message"]
	add_tag => [ "kv" ]
}

}

output {

elasticsearch {
#index => test
}

}

My original file starts with:

> *########################################*
> Timestamp: 2016-07-01 21:25:48*Message: HandlingInstanceID:
> An exception of type 'Exception' occurred and was caught.
> -----------------------------------------------------------------------------------------------
> 07/01/2016 14:25:47
> Type : erwr3
> Message : The configuration is not found.
> Source : Metadata

> *®Category®: "System Errors"*:Priority:: {0}*EventId: 100*§Severity§: Error*TitleException Handling*¶Machine¶: 7W*Application_Domain:83*Process_Id: 8*Process_Name: *Win32_Thread_Id: 10*Thread_Name: *Extended_Properties: 
> *~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~*

In the output, my date filter doesn't add the "date" tag successfully. And my @timestamp is still the time I read the file instead of the value in the file.

This is my output

        "_index": "logstash-2016.08.15",
        "_type": "SystemErrors",
        "_id": "AVaQZwR4a6yP1EXIw5eQ",
        "_score": 1,
        "_source": {
           "@timestamp": "2016-08-15T22:51:19.703Z",
           "type": "SystemErrors",
           "tags": [
              "multiline",
              "kv"
           ],
           "\r\nTimestamp": "2016-07-01 21:25:48",
           "Message": "HandlingInstanceID:\r\nAn exception of type 'Exception' occurred and was caught.\r\n-----------------------------------------------------------------------------------------------\r\n07/01/2016 14:25:47\r\nType : erwr3\r\nMessage : The configuration is not found.\r\nSource : Metadata\r\n\r\n",
           "\\xAECategory\\xAE": "\\\"System Errors\\\"",
           "Priority": ": {0}",
           "EventId": "100",
           "\\xA7Severity\\xA7": "Error",
           "TitleException": "Handling",
           "\\xB6Machine\\xB6": "7W",
           "Application_Domain": "83",
           "Process_Id": "8",
           "Process_Name": " ",
           "Win32_Thread_Id": "10",
           "Thread_Name": " ",
           "Extended_Properties": "\\r\n"

Please help!!!

magnusbaeck · August 16, 2016, 5:51am

I wouldn't assume that the date filter play nicely with fields with newline characters in their names, but the most serious problem is probably that your date filter comes before the kv filter that creates the timestamp field. Keep in mind that filters are evaluated in order.

RileyShu · August 16, 2016, 8:33am

You are such a lifesaver! :))