Date parsing log without date in it

yammy · February 10, 2016, 8:36pm

I have a log that I need to collect, however it only contains the timestamp at the begining with no date.
Example:
145231.hostname!process1.19022.2799412992.0: msg1 "INFO: msg2"

I am successfully parsing the data with the grok statement below:
Example:
%{HOUR}%{MINUTE}%{SECOND}.%{DATA:my_host}!%{DATA:process}: %{DATA:msg1} %{GREEDYDATA:msg2}

What I am stuck on is how to use the date filter to set the timestamp on the event, using the data from the log entry and the present date. Does anyone have an example?

magnusbaeck · February 11, 2016, 6:53am

I don't remember what the date filter defaults to if you supply a pattern containing just hours and minutes, but you could always use a ruby filter to obtain the current date and assume that the log you're parsing is from today. Or, perhaps you could use the path field (containing the path to the input file) to figure out which day it is.

yammy · February 11, 2016, 1:35pm

Thanks Magnus

Do you know of any similar examples of this? I'm unsure of what it would look like.

magnusbaeck · February 11, 2016, 7:11pm

This should give you a date field with the current date (in the local timezone):

filter {
  ruby {
    code => "
      event['date'] = Time.now.strftime('%Y-%m-%d')
    "
  }
}

Topic		Replies	Views
Assume the date is current date if there is no date in log Logstash	5	479	December 8, 2016
There is no dateparsefailure in the tag,but it does not work Logstash	10	555	June 6, 2018
Completly lost with how to parse date Logstash	2	286	August 5, 2019
Logstash Parse Date Issue Logstash	2	656	July 6, 2017
Date Filter Doesn't Work Logstash	6	923	November 2, 2018

Date parsing log without date in it

Related topics