Hi members,
so I have a log with three entries.
26.01.2018 15:57:12 Hostname: ApplicationName : INFO - Message
26.01.2018 15:57:12 Hostname: ApplicationName : INFO - Message /configFile=Greedydata /logConfigFolder=Greedydata /step=Greedydata
26.01.2018 15:57:17 Hostname: ApplicationName : INFO - Message /configFile=Greedydata /logConfigFolder=Greedydata /step=Greedydata
And from the last two I got an grokparsefailure.
The strange thing is, that the time is +1hour in every entry, where does that come from? The data in Kibana is parsed right through all three entries! So why is not every entry an grokparsefailure because of the time? And where else could that grokparsefailure come from?
I also debugged the grokparse section. It's right formatted.
my filter
filter {
if [fields][LogEvent] == "ApplicationConflict" {
grok {
match => {"source" => "%{PATH}\\%{GREEDYDATA:NameLogDatei}.log"}
}
if "/configFile" in [message] {
grok {
match => {"message" => "%{DATE:Datum} %{TIME:Uhrzeit} %{HOSTNAME:Hostname} : %{GREEDYDATA:ApplicationName} : %{LOGLEVEL:LogLevel} - %{GREEDYDATA:message} /configFile=%{GREEDYDATA:configFile} /logConfigFolder=%{GREEDYDATA:logConfigFolder} /step=%{GREEDYDATA:WP_Step}"}
overwrite => ["message"]
add_field => {"timestamp" => "%{Datum} %{Uhrzeit}"}
remove_field => ["Datum", "Uhrzeit"]
add_tag => "3"
}
}
grok {
match => {"message" => "%{DATE:Datum} %{TIME:Uhrzeit} %{HOSTNAME:Hostname} : %{GREEDYDATA:ApplicationName} : %{LOGLEVEL:LogLevel} - %{GREEDYDATA:message}"}
overwrite => ["message"]
add_field => {"timestamp" => "%{Datum} %{Uhrzeit}"}
remove_field => ["Datum", "Uhrzeit"]
add_tag => "3"
}
date {
match => ["timestamp", "dd.MM.yyyy HH:mm:ss"]
target => ["@timestamp"]
remove_field => ["timestamp"]
}
}
}