Grok timestamp (can't match pattern)

The log line I am trying to make patterns on:
Sent from filebeat to logstash.

[Log Level- [1],[2021-01-05 15:19:28:410 GMT+0000], Thread ID: -858872064 HEALTH CHECK STATUS : 0, HealthCheck/Src/HealthCheckManager.cpp, 90

My logstash beats config:

filter {

        if "filebeat" in [tags] {

                grok {

                        patterns_dir => "/etc/logstash/patterns.txt"

                        match => [

                        "message", "\[Log Level- \[%{NUMBER:log-level}\],",

#                       "message", ",\[%{EVENTTIME:logtimestamp}"

#                       "message", ",\[%{LOGTIMESTAMP:logtimestamp}"

                        "message", ",\[%{TIMESTAMP_ISO8601:logtimestamp}"

                        ]

                }

        }

}

Patterns_dir/patterns.txt

LOGTIMESTAMP %{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}

EVENTTIME %{YEAR}[-]%{MONTHNUM}[-]%{MONTHDAY}[ ]%{HOUR}[:]%{MINUTE}[:]%{SECOND}

I am trying to create the field "logtimestamp", but I've been unable to match the timestamp against TIMESTAMP_ISO8601 or the custom pattern I created in patterns.txt.

Is my pattern incorrect?

Hi,
I think you synthaxe try to match multiple patterns against a single field.
In your case you want to have the log info and the timestamp.
So your grok filter should be like this:

filter {
    grok {
        match => {
            "message" => "\[Log Level- \[%{NUMBER:log-level}\],\[%{TIMESTAMP_ISO8601:logtimestamp}"
        }
    }
}

To check if you grok configuration work you have a debugger on kibana or you can use this site

Cad.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.