I can't record the current date from the log string in the @timestamp field

vanro · November 15, 2021, 1:31pm

Hello, I can't record the current date from the log string in the @timestamp field and convert the time field from the string type to the date type. Can you tell me what I'm doing wrong? My configuration is shown below..

if [type] == "bl" {
		grok {
			patterns_dir => ["/etc/logstash/patterns"]
			match => { "message" => "%{FIRESEC_BL_GENERAL}" }
		}
		date {
			match => ["time", "dd MMM yyyy hh:mm:ss.SSS"]
			target => "time"
		}
		date {
			match => ["time", "dd MMM yyyy hh:mm:ss.SSS"]
			target => "@timestamp"
		}
	}

My patterns:
FIRESEC_TIME %{MONTHDAY} %{MONTH} %{YEAR} %{TIME}
FIRESEC_BL_GENERAL %{FIRESEC_TIME:time} [(?<module_name>(?:[^-]+|-(?:$|[^\d])))-(?<module_version>[^]])][(?<alert_source>[^]])] (?<alert_type>[^ ]) (?<alert_message>[^\n^.])

leandrojmp · November 15, 2021, 2:15pm

Try to change your date filter, use HH instead of hh.

Change it to: "dd MMM yyyy HH:mm:ss.SSS".

Lowercase h is used when you have AM/PM time, it means clockhour of halfday (1~12).

When you have the time with 24 hour format you need to use HH.

vanro · November 16, 2021, 1:29pm

Thank you very much, it helped me

system · December 14, 2021, 1:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.