Grok GUnicorn error log date format?

GUnicorn uses this format for the error log file:

[2019-04-24 14:53:51 +0000] [10] [INFO] Starting gunicorn 19.4.5
[2019-04-24 14:53:51 +0000] [10] [INFO] Listening at: http://0.0.0.0:12007 (10)

Is the timestamp a standard ISO format that can be used in grok?

Currently my logstash pipeline grok filter looks like this, and it works but I'm not sure if this is the right way to do it. I'm parsing thetime out as just DATA and then using date plugin:

  else if "gunicorn" in [tags] {
    grok {
      match => [ "message", "(?m)\[%{DATA:thetime}\] \[%{DATA:pid}\] \[%{LOGLEVEL:level}\] %{GREEDYDATA:event}" ]
    }
    date {
      locale => "en"
      match => ["thetime", "YYYY-MM-dd HH:mm:ss Z"]
      timezone => "UTC"
    }
  }

If this is ok then I'll leave it as-is, but it would be good to know what others would do.

If it works it is OK. That said, personally I would use a dissect filter for a delimited format like that

dissect { mapping => { "message" => "[%{thetime}] [%{pid}] [%{level}] %{event}" } }

Thanks. Would that work for multiline too? I'm using filebeat to package up the events as multiline like this:

filebeat.inputs:
- type: log
  enabled: true
  paths:
    - /usr/share/logs/microservices/**/error_log
  multiline.pattern: '^\[(\S+) (\S+) (\S+)\] \[(\S+)\] \[(\S+)\] '
  multiline.negate: true
  multiline.match: after
  tags: ["gunicorn"]

Don't worry, I can confirm the dissect syntax above works for multiline.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.