I have a log line
Thu Jun 18 08:01:42 CEST 2020|{"timestamp":1592460102635,"caller":"test.customer@customer1","action":"LOGIN","message":"ID000066 User [test.customer@customer1] logged in successfully."}
This is my filter:
filter {
dissect {
mapping => {
"message" => "%{log_timestamp}|%{data}"
}
}
mutate {
gsub => [ "data","[\\"]","" ]
}
kv {
source => "data"
field_split => ","
value_split => ":"
trim_key => "[\{]"
trim_value => "[\}]"
prefix => "audit_"
}
#Thu Jun 18 08:01:42 +0200 2020
if ("CEST" in [log_timestamp]) {
mutate {gsub => [ "log_timestamp", "CEST", "+0200" ]}
date {
match => [ "log_imestamp" , "E MMM dd HH:mm:ss Z yyyy" ]
#remove_field => [ "log_timestamp" ]
}
}
if ("CET" in [log_timestamp]) {
mutate {gsub => [ "log_timestamp", "CET", "+0100" ]}
date {
match => [ "log_timestamp" , "E MMM dd HH:mm:ss Z yyyy" ]
#remove_field => [ "log_timestamp" ]
}
}
date {
match => [ "log_timestamp" , "E MMM dd HH:mm:ss yyyy" ]
#remove_field => [ "log_timestamp" ]
}
}
This is the output with the dateparsefailure for log_timestamp. Could you please advise what I am doing wrong here?:
{
"audit_caller" => "test.customer@customer1",
"@timestamp" => 2020-06-18T18:51:54.716Z,
"host" => "test@example.com",
"message" => "Thu Jun 18 08:01:42 CEST 2020|{\"timestamp\":1592460102635,\"caller\":\"test.customer@customer1\",\"action\":\"LOGIN\",\"message\":\"ID000066 User [test.customer@customer1] logged in successfully.\"}",
"data" => "{timestamp:1592460102635,caller:test.customer@customer1,action:LOGIN,message:ID000066 User [test.customer@customer1] logged in successfully.}",
"audit_message" => "ID000066 User [test.customer@customer1] logged in successfully.",
"@version" => "1",
"audit_timestamp" => "1592460102635",
"log_timestamp" => "Thu Jun 18 08:01:42 +0200 2020",
"audit_action" => "LOGIN",
"tags" => [
[0] "_dateparsefailure"
]
}