Field logTime is 2019-Mar-28 02:39:24.778, 2019-Mar-28 02:39:24.778, why?

kevin_bolton · March 28, 2019, 2:53am

I have multiple Logstash config(forti.conf, cisco.conf) in logstash conf directory

Both configs have logTime field
add_field => { "logTime" => "%{year}-%{month}-%{day} %{time}" }

In Kibans > query > index of cisco log >
logTime field is 2019-Mar-28 02:39:24.778, 2019-Mar-28 02:39:24.778

Why?

part of log
Mar 28 2019 11:00:08.818 UTC or
*Mar 28 2019 11:00:08.818 UTC

part of conf
grok {
match => [
"message", "<%{NONNEGINT:syslog5424pri}>(%{NUMBER:log_sequence})?: %{GREEDYDATA:devhostname}: %{MONTH:month} %{MONTHDAY:day} %{YEAR:year} %{TIME:time} %{TZ:timezone}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:description}",
"message", "<%{NONNEGINT:syslog5424pri}>(%{NUMBER:log_sequence})?: %{GREEDYDATA:devhostname}: *%{MONTH:month} %{MONTHDAY:day} %{YEAR:year} %{TIME:time} %{TZ:timezone}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:description}"
]
add_field => { "logTime" => "%{year}-%{month}-%{day} %{time}" }
}
date {
match => [
"logTime",
"yyyy-MMM-dd HH:mm:ss.SSS",
"yyyy-MMM-d HH:mm:ss.SSS"
]
timezone => "%{timezone}"
}

nurhambali · March 28, 2019, 3:02am

what about this way

%{CISCOTIMESTAMPTZ:log_date}

kevin_bolton · March 28, 2019, 8:02am

I am using pipeline to separate two conf,
Now the problem was solved.

system · April 25, 2019, 8:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.