Handling multiple date formats in logstash

lleatherby · July 14, 2017, 7:31pm

I have a dataset with multiple date formats. if I use this filter:
grok {
match => [
"message",
"(?%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}T%{TIME:time})%{SPACE}%{GREEDYDATA:text}"
]
}

I get my own variable created for one set of date formats. Now I need to add in a second date format. I don't understand enough about the above syntax to know how to (or if I can) modify that syntax to have it create the p3timestamp variable for me.

And in case you are wondering, I found an example of the above syntax someplace on the web and modified it for my use. It works nicely.

Help/advice is greatly appreciated.

magnusbaeck · July 14, 2017, 7:35pm

I get my own variable created for one set of date formats.

Well... you get four fields for the different timestamp components.

The grok filter supports specifying multiple expressions that will be evaluated one by one until there's a match (example below). Depending on the exact circumstances that might be your best option.

lleatherby · July 14, 2017, 9:17pm

Thanks. I'll take a look at it.

system · August 11, 2017, 9:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multiple Date formats in one file Logstash	4	2512	June 20, 2017
Best way to handle different date formats? Logstash	3	1452	January 3, 2019
Parsing different date formats (difficult) Logstash	9	12878	August 2, 2018
Multiple dates in log file defining the @timestamp date Logstash	6	1098	July 6, 2017
Logstash - Filtering multiple date formats - date_time_parse_exception Logstash	1	461	November 12, 2019

Handling multiple date formats in logstash

Related topics