How to parse @timestamp field using HTTPDERROR_DATE pattern?

vitorlui · November 2, 2016, 5:49pm

I am trying to parse the timestamp from my log but my filter doesn't parse properly:

My log file has this pattern:

[Sun Oct 30 17:16:09 2016] [TRACE_HIGH] [TEST1] MessageTest1
[Sun Oct 30 17:16:10 2016] [TRACE_HIGH] [TEST2] MessageTest2

My Filter:

filter {
if [type] == "mycustomlog" {
grok {
match => { "message" => "\A[%{HTTPDERROR_DATE:timestamp}]%{SPACE}(?(.|\r|\n)*).(\n))"}
}
date {
# Format: Wed Jan 13 11:50:44.327650 2016 (GROK: HTTPDERROR_DATE)
match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy"]
}
multiline {
pattern => "^%{SYSLOG5424SD}%{SPACE}"
what => "previous"
negate=> true
}
}
}

I am trying to use my datetime log into @timestamp field, but I
cannot parse this format into @timestamp. Why the date filter did not
replace the @timestamp value?

magnusbaeck · November 3, 2016, 6:46am

Look in your log file. If the date filter can't parse a date it'll log clues about what it doesn't like.

Topic		Replies	Views
Logstash date filter and @timestamp field Logstash	10	4073	September 27, 2017
Data parse error ["_dateparsefailure"] Logstash	9	1031	August 15, 2018
Grok date parsing trouble Logstash	3	23022	July 6, 2017
How to parse date field into @timestamp Logstash	18	35135	December 12, 2017
Log timestamp is not getting through date filter getting date_time_parse_exception Logstash	18	1627	August 13, 2022

How to parse @timestamp field using HTTPDERROR_DATE pattern?

Related topics