Grok parse failure - Replace timestamp

A.Klos · April 18, 2018, 8:58am

Hi,

I have following Json:

{
"_index": "filebeat-my-own-tag-xxx-2018.04.18",
"_type": "doc",
"_id": "saPh12IB-118Ln7atRDd",
"_version": 1,
"_score": null,
"_source": {
"host": "hostname.my.domain",
"source": "/WEB/apps/XXXx/yyyyy/logs/xxxx/logs/xxxx.log",
"tags": [
"my-own-tag-xxx",
"beats_input_codec_plain_applied",
"_grokparsefailure",
"_dateparsefailure"
],
"@version": "1",
"TIMEDATE": "%{Datum} %{Uhrzeit}",
"message": "2018-04-18 10:18:18.254 INFO 9999 --- my message",
"@timestamp": "2018-04-18T08:31:42.646Z",
"offset": 192858,
"prospector": {
"type": "log"
},
"beat": {
"name": "hostname.my.domain",
"version": "6.2.2",
"hostname": "hostname.my.domain"
}
},
"fields": {
"@timestamp": [
"2018-04-18T08:31:42.646Z"
]
},
"sort": [
1524040302646
]
}

This is my filter:

if "my-own-tag-xxx" in [tags] {
grok {
match => [ "message" , "%{DATE_EU:Datum} (?[\d:\d:\d,\d]{12})" ]
}
mutate {
add_field => { "TIMEDATE" => "%{Datum} %{Uhrzeit}" }
}
date {
match => [ "TIMEDATE", "ISO8601", "dd.MM.yyyy HH:mm:ss','SSSS" ]
timezone => [ "Europe/Berlin" ]
target => "@timestamp"
}
}
}

I would replace timestamp with timestemp of message.

Whats wrong?

Regards

A.Klos · April 24, 2018, 7:40am

Hi,

Problem fixed, using following filter now:

  grok {
      match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:data}"}
  }
  date {
     match => ["timestamp", "ISO8601"]
     target => ["@timestamp"]
  }

Regards

system · May 22, 2018, 7:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.