Filter date in logstash

Sirius · November 26, 2019, 9:03pm

I am traying to filter a format date like below message log with grok, but not luck

01-NOV-2019 00:09:01 * (ADDRESS=(PROTOCOL=tcp)(HOST=10.10.84.62) 
(PORT=48482)) * <unknown connect data> * 12537

From debugger works but at the moment to restart logstash is just not showing the new fields filtered expected, like :

%{NOTSPACE} %{TIME}

Output:

{
  "NOTSPACE": [
[
  "01-NOV-2019"
]
  ],
  "TIME": [
[
  "00:09:22"
]
  ]
}

Any other better idea or advise ?

Thanks & Regards,
Jorge

Sirius · November 26, 2019, 9:06pm

Filter configuration in logstash is

filter {
        grok {
   match => {"message" => [ "%{NOTSPACE} %{TIME})" ]}
  }
}

Badger · November 26, 2019, 9:51pm

Remove the ) that comes after %{TIME}

Sirius · November 26, 2019, 10:27pm

Thanks for the observation, modifying the same even did not work

Sirius · November 26, 2019, 10:35pm

here an example how is being indexed, seems there is a grok failure, but in logstash output is not reporting any error message, the message showing is the same which is tested on grok debugger to get the date without issues ...

system · December 24, 2019, 10:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Strugging with the date filter Logstash	3	531	July 25, 2018
Logstash - filter message Logstash	3	232	April 23, 2020
Date Filter Doesn't Work Logstash	6	923	November 2, 2018
Logstash date filter not work Logstash	3	1206	March 5, 2018
Match error grok filter Logstash	4	654	October 9, 2021

Filter date in logstash

Related topics