Hi all,
i have a log files that is composed:
Thu Aug 2 21:20:53 2018 (675001) -7- XATTR(Id:304 Len:8) BUF [ 6e 97 12 7a 00 10 00 00 ]
Thu Aug 2 21:20:53 2018 (675007) -7- XATTR(Id:1027 Len:7) BUF [ 07 e2 08 02 15 14 35 ]
Thu Aug 2 21:20:53 2018 (675013) -7- XATTR(Id:3000 Len:4) BUF [ 00 38 ae e2 ]
Thu Aug 2 21:20:53 2018 (675017) -7- XATTR(Id:304 Len:16) BUF [ 6e 97 12 7a 00 10 00 02 00 00 00 00 00 00 03 a2
Thu Aug 2 21:20:53 2018 (675024) -7- ]
I read the file with filbeat and sent it to logstash.
I'm using this multiline config:
multiline.pattern: '[[:alpha:]][[:space:]][[:alpha:]][[:space:]][[:space:]][[:digit:]][[:space:]]^[0-9]{2}:[0-9]{2}:[0-9]{2}'
multiline.negate: false
multiline.match: after
With this grok filter:
match => ["message", "%{DAY}%{SPACE}%{MONTH}%{SPACE}%{MONTHDAY}%{SPACE}%{TIME}%{SPACE}%{YEAR}%{SPACE}%{JAVALOGMESSAGE}"]
}
date {
match => [ "timestamp", "YYYY-MM-dd HH:mm:ss,SSS", "HH:mm:ss,SSS", "EEE MMM dd HH:mm:ss YYYY", "dd-MMM-yyyy HH:mm:ss.SSS" ]
timezone => "Europe/Rome"
target => "@timestamp"
}
Problem is that timestamp in ES are not alligned:
August 3rd 2018, 12:15:21.912 Fri Aug 3 12:14:30 2018 (422017) -3- WorkerThread::elaborateOddsChange > Extracted earlybetstatus
August 3rd 2018, 12:15:21.912 Fri Aug 3 12:14:30 2018 (414515) -6- WorkerThread::Run > RecvFrom returned with res 32
August 3rd 2018, 12:15:21.912 Fri Aug 3 12:14:30 2018 (422133) -6- XmlUtil::getAttrValue > value is [1533291270317]
Can someone help me???