Is there a way to match Timestamps with the time in the message of the log

Archie_Crawford · July 28, 2020, 12:33pm

I have tried to use things like :

Filter{
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"]
}
date {
match => ["timestamp", "ISO8601"]
}
}

I have been trying to do this for java stack trace logs ... and I have not been able to get it to work

message log to timmestamp

Jenni · July 28, 2020, 12:43pm

That's not ISO8601. It's a SYSLOGTIMESTAMP with the format MMM dd HH:mm:ss.

Archie_Crawford · July 28, 2020, 5:26pm

Ok I switched that out, and I can get a new field that shows the time in @timestamp, but the Time in the far left still does not change ... the one that shows when it was sent to the index

Jenni · July 28, 2020, 5:31pm

What does your configuration look like
And how many different date formats are there? The second screenshot seems to have a completely different message format than the first?
Having some example events posted as text instead of pictures might make it clearer.

Archie_Crawford · July 28, 2020, 6:18pm

Sorry about that, I have different log paths going to the kibana the first one was a /var/log/message and the second one came from acess.80.log log path... ill upload the logs

Archie_Crawford · July 29, 2020, 5:49pm

filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp}%{GREEDYDATA:Message}"]
}
date {
match => ["timestamp", "ISO8601"]
}
}

I went back to this conf in logstash because I notice it matches the catalina logs.. the screen show is the logs filtered for just the catlinia logs

Archie_Crawford · July 29, 2020, 5:49pm

When you say post event in text instead of pic im not sure what you mean

Archie_Crawford · July 29, 2020, 5:52pm

You know what ... after doing this again... its now working

Badger · July 29, 2020, 6:58pm

If you post a screen shot of an event in Kibana the screen shot is not searchable. It is not accessible to the visually impaired. I cannot copy and paste the message field to a machine running logstash, so that I can actually try things and give you a working solution. Instead I can make suggestions about what you can try.

Help us to help you. Instead of posting a screenshot, expand the event in Discover and click on the JSON tab, then copy and paste the JSON. Redact as necessary, without changing the structure. Select the JSON in the edit pane and click on </> in the toolbar above the edit pane, so that the formatting of the JSON is preserved.

Archie_Crawford · July 29, 2020, 7:32pm

Ahh ok I see , thank you ... and it is working now

system · August 26, 2020, 7:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.