I am trying to parse the timestamp from my log but my filter doesn't parse properly:
My log file has this pattern:
[Sun Oct 30 17:16:09 2016] [TRACE_HIGH] [TEST1] MessageTest1
[Sun Oct 30 17:16:10 2016] [TRACE_HIGH] [TEST2] MessageTest2
My Filter:
filter {
if [type] == "mycustomlog" {
grok {
match => { "message" => "\A[%{HTTPDERROR_DATE:timestamp}]%{SPACE}(?(.|\r|\n)*).(\n))"}
}
date {
# Format: Wed Jan 13 11:50:44.327650 2016 (GROK: HTTPDERROR_DATE)
match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy"]
}
multiline {
pattern => "^%{SYSLOG5424SD}%{SPACE}"
what => "previous"
negate=> true
}
}
}
I am trying to use my datetime log into @timestamp field, but I
cannot parse this format into @timestamp. Why the date filter did not
replace the @timestamp value?
Related:
date-pattern