Filter with spaces and extra pattern

Ben240489 · February 6, 2020, 11:46am

Hi guys,

I have another parsing question
My filebeat and logstash are working fine except for a problem in parsing a time in the format HH.MM.SS instead of the double point.

My message currently looks like this:
22.01.2020 ! 08.35.34 ! 92 ! MY TEXT ! 122#!

My filter looks like this:
match => {"message" => "%{DATE_EU:date}\s*!\s*%{TIME:time}\s*!\s*%{INT:number}\s*!\s*%{DATA:text}\s*!\s*%{INT:occurence}#!"}

My "extra.grok" definition of TIME:
TIME %{BASE10NUM}.%{BASE10NUM}.%{BASE10NUM}

But somehow, the field "time", "number" and "text" are not filled correctly in Kibana due to the "time" being with points...

Can you advise how to solve it? What am I missing? It takes for "time" only the first 2 digits until the point and therefore the output shifts for these values

Badger · February 6, 2020, 6:31pm

Try

pattern_definitions => { "TIME" => "%{INT}\.%{INT}\.%{INT}" }

Ben240489 · February 7, 2020, 10:36am

You're a genius, that's what did the trick
Thank you so much!!
It didn't work when I added it to my extra.grok pattern file which I link within the logstash but it worked directly in the logstash file

system · March 6, 2020, 10:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash/Grok help Logstash	5	429	May 31, 2017
Help with pattern Beats filebeat	1	344	August 31, 2018
Grokparsefailure on logstash Logstash	9	462	June 15, 2021
New fields not being created and grok help Logstash	6	3222	July 6, 2017
_dataparsefailure in tags Logstash	9	1476	October 22, 2019

Filter with spaces and extra pattern

Related topics