Grok multiple date formats

Regul · July 17, 2019, 9:06am

I'm trying to parse syslog messages from 2 sources at the moment, but they have different date formats:

 <12>Jul 16 14:37:33
 <30>2019:07:16-14:23:13

Right now I got the following:

<%{POSINT:syslog_pri}>%{YEAR}:%{MONTHNUM}:%{MONTHDAY}-%{HOUR}:?%{MINUTE}(?::?%{SECOND}) %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}\[%{NUMBER:syslog_pid}\]\: %{GREEDYDATA:syslog_message}

<%{POSINT:syslog_pri}>%{MONTH} %{MONTHDAY} %{TIME} %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}\[%{NUMBER:syslog_pid}\]\: %{GREEDYDATA:syslog_message}

Both these parse one of the formats.

I'm having a hard time to create the correct config so both of these formats are processed correctly.
How can I combine these?

Badger · July 17, 2019, 1:10pm

You should be able to do alternation using |

<%{POSINT:syslog_pri}>(%{YEAR}:%{MONTHNUM}:%{MONTHDAY}-%{HOUR}:?%{MINUTE}(?::?%{SECOND})|%{MONTH} %{MONTHDAY} %{TIME}) %{SYSLOGHOST:syslog_host} %{DATA:syslog_program}\[%{NUMBER:syslog_pid}\]\: %{GREEDYDATA:syslog_message}

Regul · July 22, 2019, 10:15am

Perfect! That does the trick.

Thank you!

system · August 19, 2019, 10:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parsing different syslog date formats Logstash	5	13296	July 6, 2017
Filtering two different time pattern in logstash Logstash	7	468	September 8, 2020
Multiple Date formats in one file Logstash	4	2512	June 20, 2017
Unable to parse the date in syslog log message Logstash	3	360	October 17, 2019
Grok filter multiple match Logstash	4	18267	October 31, 2019

Grok multiple date formats

Related topics