shani
November 27, 2020, 8:43am
1
HI, this is my config file. I want to extract date from the log and want to create two field like
time_mentioned_in_log
time_when_log_was_received_at_logstash
Raw Log:
3/2/2020 10:14 AM TYPE=Information USER= COMP=ABCXYZ.local SORC=Dummy CATG=(0) EVID=1 MESG=some_msg_here
configuration file:
input {
file {
filter {
output {
Please help me.
Badger
November 27, 2020, 1:49pm
2
The pattern in the date filter has to consume the entire field, so for that message you would have to use
date { match => [ "[message]", "d/M/YYYY HH:mm a' TYPE=Information USER= COMP=ABCXYZ.local SORC=Dummy CATG=(0) EVID=1 MESG=some_msg_here'" ] }
Use dissect or grok to extract the timestamp from the message and then use a date filter to parse that.
shani
November 27, 2020, 4:05pm
3
Hi Sir,
I'm unable to understand what's missing here. Dissect or Grok gets failed when I use to parse it. Like dissect is getting failed here
input {
file {
path => "/etc/logstash/files/time.log"
start_position => beginning
sincedb_path => "/dev/null"
}
}
filter {
dissect {
mapping => {
"message" => "%{log_time} TYPE=%{[event][type]} USER=%{[user][name]} COMP=%{[most][hostname]} SORC=%{[event][module]} CATG=%{[event][category]} EVID=%{[event][id]} MESG=%{[custom][message]}"
}
}
date {
match => ["log_time", "d/M/YYYY HH:mm a" ]
target => "[event][created]"
}
}
output {
stdout { codec => rubydebug }
}
Input files contains the logs
Badger
November 27, 2020, 4:21pm
4
That is not going to match. It says that [message] should contain characters that are not space (the delimiter), followed by a space, followed by the literal string TYPE=. That's not what you have. Try
dissect { mapping => { "message" => "%{log_time} %{+log_time} %{+log_time} TYPE=%{[event][type]}
system
December 25, 2020, 4:21pm
5
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.