Different timezones for same kind of logs

(Shrikant) #1

I have two kind of access being taken from two different locations and on applying filter I am not able to replace my @timestamp with timestamp
my logs are(with different timezones)

1.IP - - [12/Jun/2017:11:52:13 +0200] "GET / HTTP/1.1" 200 1165
2.IP - - [08/Jan/2018:04:54:41 +0100] "GET /manager HTTP/1.1" 302 -
and my filter are as below
if [type] == "access1" {
grok {
match => {"message" => "%{IP:ip}.[%{MONTHDAY:day}/%{MONTH:month}/%{YEAR:year}:%{TIME:time}\s%{ISO8601_TIMEZONE:timezone}]\s*"%{WORD:request}\s*."\s(?\d+)"}
mutate {
add_field => {
"timestamp" => "%{year}-%{month}-%{day} %{time} %{timezone}"
date {
match => ["timestamp", "yyyy-MMM-dd HH:mm:ss", "ISO8601"]
target => "@timestamp"

a help would be really appreciated

(Guy Boertje) #2

The first pattern in your date filter does match for the timezone.

You can use the add_field directly in the grok filter - it will only add the field if the grok succeeds otherwise put the mutate and date inside a conditional block that checks for not grok parse failure.

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.