Logstah date help

pierre · December 15, 2016, 1:58pm

i have this :
01-11-2015;17:41:01;641

filter {
grok {
break_on_match => "false"
match => { "message" => '%{DATA}%{DATE_EU:Date};%{TIME:Date};%{NUMBER:Nombre}%{DATA}'}
}
}
Here my date = string and i want date = date so i use

date {
match => [ "Date", "dd MM YYYY HH:mm:ss" ]
}

but i have
{
"_index": "logstash-2016.12.15",
"_type": "Vmware",
"id": "AVkCgGy96Itcz_3yhMg",
"_score": null,
"_source": {
"Nombre": 751,
"path": "/var/log/StatVM/test10.log",
"@timestamp": "2016-12-15T12:41:27.524Z",
"@version": "1",
"host": "localhost.localdomain",
"message": "14-12-2016;11:20:01;751",
"type": "Vmware",
"Date": [
"14-12-2016",
"11:20:01"
],
"tags": [
"_dateparsefailure",
"_grokparsefailure"
]
},
"fields": {
"@timestamp": [
1481805687524
]
},
"sort": [
1481805687524
]
}
},
"fields": {
"@timestamp": [
1481804404819
]
},
"sort": [
1481804404819
]
}

magnusbaeck · December 15, 2016, 2:05pm

Your Date field doesn't contain a "dd MM YYYY HH:mm:ss" string, it's an two-element array. Suggestion:

grok {
  break_on_match => "false"
  match => {
    "message" => '%{DATA}%{DATE_EU:Date};%{TIME:Time};%{NUMBER:Nombre}%{DATA}'
  }
  add_field => {
    "timestamp" => "%{Date} %{Time}"
  }
}

date {
  match => [ "timestamp", "dd MM YYYY HH:mm:ss" ]
}

pierre · December 19, 2016, 6:00pm

i have grokfail

magnusbaeck · December 19, 2016, 9:15pm

Please show your configuration and a sample event, preferably from a stdout { codec => rubydebug } output.

pierre · December 20, 2016, 2:22pm

my log : 22-11-2016 23:32:01;703

my filter :

filter {
grok {
break_on_match => "false"
match => {
"message" => '%{DATA}%{DATE_EU:Date} %{TIME:Time};%{NUMBER:Nombre:float}%{DATA}'
}
add_field => {
"timestamp" => "%{Date} %{Time}"
}
}

date {
match => [ "timestamp", "dd-MM-YYYY HH:mm:ss" ]
}
}
you can see :

"@timestamp": "2016-11-22T22:32:01.000Z",
"tags": [],
"timestamp": "22-11-2016 23:32:01"
},

in my index patterns i have : @timestamp , type = date so i can chose this Time-field

me seconde timestamp add by add_field but in my index patterns i have timestamp.keyword , type = sting so i can't use this timestamp , i can't chose this timestamp in my Time-field

i want compare the number with the time

magnusbaeck · December 20, 2016, 2:28pm

This looks correct. Keep in mind that @timestamp is UTC.

pierre · December 20, 2016, 2:52pm

:o sorry i go sleep LOL

system · January 17, 2017, 2:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
There is no dateparsefailure in the tag,but it does not work Logstash	10	555	June 6, 2018
How to change data type for date field? Logstash	5	16736	July 6, 2017
Why i can't add a date field Logstash	11	1044	May 14, 2018
Logstash Parse Date Issue Logstash	2	656	July 6, 2017
Logstash doesn't parse date Logstash	3	569	December 25, 2018

Logstah date help

Related Topics