How to parse @timestamp field using HTTPDERROR_DATE pattern?

I am trying to parse the timestamp from my log but my filter doesn't parse properly:

My log file has this pattern:

[Sun Oct 30 17:16:09 2016] [TRACE_HIGH] [TEST1] MessageTest1
[Sun Oct 30 17:16:10 2016] [TRACE_HIGH] [TEST2] MessageTest2

My Filter:

filter {
if [type] == "mycustomlog" {
grok {
match => { "message" => "\A[%{HTTPDERROR_DATE:timestamp}]%{SPACE}(?(.|\r|\n)*).(\n))"}
date {
# Format: Wed Jan 13 11:50:44.327650 2016 (GROK: HTTPDERROR_DATE)
match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy"]
multiline {
pattern => "^%{SYSLOG5424SD}%{SPACE}"
what => "previous"
negate=> true

I am trying to use my datetime log into @timestamp field, but I
cannot parse this format into @timestamp. Why the date filter did not
replace the @timestamp value?



1 Like

Look in your log file. If the date filter can't parse a date it'll log clues about what it doesn't like.