I have tried to use things like :
Filter{
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"]
}
date {
match => ["timestamp", "ISO8601"]
}
}
I have been trying to do this for java stack trace logs ... and I have not been able to get it to work
That's not ISO8601. It's a SYSLOGTIMESTAMP with the format MMM dd HH:mm:ss.
Ok I switched that out, and I can get a new field that shows the time in @timestamp, but the Time in the far left still does not change ... the one that shows when it was sent to the index
What does your configuration look like
And how many different date formats are there? The second screenshot seems to have a completely different message format than the first?
Having some example events posted as text instead of pictures might make it clearer.
Sorry about that, I have different log paths going to the kibana the first one was a /var/log/message and the second one came from acess.80.log log path... ill upload the logs
filter {
grok {
match => ["message", "%{TIMESTAMP_ISO8601:timestamp}%{GREEDYDATA:Message}"]
}
date {
match => ["timestamp", "ISO8601"]
}
}
I went back to this conf in logstash because I notice it matches the catalina logs.. the screen show is the logs filtered for just the catlinia logs
When you say post event in text instead of pic im not sure what you mean
You know what ... after doing this again... its now working
If you post a screen shot of an event in Kibana the screen shot is not searchable. It is not accessible to the visually impaired. I cannot copy and paste the message field to a machine running logstash, so that I can actually try things and give you a working solution. Instead I can make suggestions about what you can try.
Help us to help you. Instead of posting a screenshot, expand the event in Discover and click on the JSON tab, then copy and paste the JSON. Redact as necessary, without changing the structure. Select the JSON in the edit pane and click on </> in the toolbar above the edit pane, so that the formatting of the JSON is preserved.
Ahh ok I see , thank you ... and it is working now
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
