Logstah date help

pierre · December 15, 2016, 1:58pm

i have this :
01-11-2015;17:41:01;641

filter {
grok {
break_on_match => "false"
match => { "message" => '%{DATA}%{DATE_EU:Date};%{TIME:Date};%{NUMBER:Nombre}%{DATA}'}
}
}
Here my date = string and i want date = date so i use

date {
match => [ "Date", "dd MM YYYY HH:mm:ss" ]
}

but i have
{
"_index": "logstash-2016.12.15",
"_type": "Vmware",
"id": "AVkCgGy96Itcz_3yhMg",
"_score": null,
"_source": {
"Nombre": 751,
"path": "/var/log/StatVM/test10.log",
"@timestamp": "2016-12-15T12:41:27.524Z",
"@version": "1",
"host": "localhost.localdomain",
"message": "14-12-2016;11:20:01;751",
"type": "Vmware",
"Date": [
"14-12-2016",
"11:20:01"
],
"tags": [
"_dateparsefailure",
"_grokparsefailure"
]
},
"fields": {
"@timestamp": [
1481805687524
]
},
"sort": [
1481805687524
]
}
},
"fields": {
"@timestamp": [
1481804404819
]
},
"sort": [
1481804404819
]
}

magnusbaeck · December 15, 2016, 2:05pm

Your Date field doesn't contain a "dd MM YYYY HH:mm:ss" string, it's an two-element array. Suggestion:

grok {
  break_on_match => "false"
  match => {
    "message" => '%{DATA}%{DATE_EU:Date};%{TIME:Time};%{NUMBER:Nombre}%{DATA}'
  }
  add_field => {
    "timestamp" => "%{Date} %{Time}"
  }
}

date {
  match => [ "timestamp", "dd MM YYYY HH:mm:ss" ]
}

pierre · December 19, 2016, 6:00pm

i have grokfail

magnusbaeck · December 19, 2016, 9:15pm

Please show your configuration and a sample event, preferably from a stdout { codec => rubydebug } output.

pierre · December 20, 2016, 2:22pm

my log : 22-11-2016 23:32:01;703

my filter :

filter {
grok {
break_on_match => "false"
match => {
"message" => '%{DATA}%{DATE_EU:Date} %{TIME:Time};%{NUMBER:Nombre:float}%{DATA}'
}
add_field => {
"timestamp" => "%{Date} %{Time}"
}
}

date {
match => [ "timestamp", "dd-MM-YYYY HH:mm:ss" ]
}
}
you can see :

"@timestamp": "2016-11-22T22:32:01.000Z",
"tags": [],
"timestamp": "22-11-2016 23:32:01"
},

in my index patterns i have : @timestamp , type = date so i can chose this Time-field

me seconde timestamp add by add_field but in my index patterns i have timestamp.keyword , type = sting so i can't use this timestamp , i can't chose this timestamp in my Time-field

i want compare the number with the time

magnusbaeck · December 20, 2016, 2:28pm

This looks correct. Keep in mind that @timestamp is UTC.

pierre · December 20, 2016, 2:52pm

:o sorry i go sleep LOL

system · January 17, 2017, 2:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.