Handling multiple date formats in logstash

lleatherby · July 14, 2017, 7:31pm

I have a dataset with multiple date formats. if I use this filter:
grok {
match => [
"message",
"(?%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}T%{TIME:time})%{SPACE}%{GREEDYDATA:text}"
]
}

I get my own variable created for one set of date formats. Now I need to add in a second date format. I don't understand enough about the above syntax to know how to (or if I can) modify that syntax to have it create the p3timestamp variable for me.

And in case you are wondering, I found an example of the above syntax someplace on the web and modified it for my use. It works nicely.

Help/advice is greatly appreciated.

magnusbaeck · July 14, 2017, 7:35pm

I get my own variable created for one set of date formats.

Well... you get four fields for the different timestamp components.

The grok filter supports specifying multiple expressions that will be evaluated one by one until there's a match (example below). Depending on the exact circumstances that might be your best option.

lleatherby · July 14, 2017, 9:17pm

Thanks. I'll take a look at it.

system · August 11, 2017, 9:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.