Logstash 7.0.1 - Grok pattern

hassen_k · May 16, 2019, 8:46am

Hi,

I am using Logstash 7.0.1. I have the following log :

amPolicy:05/16/2019 05:47:31:262 AM CEST: Thread[http-nio-8080-exec-14,5,main]

The Logstash configuration is like that :

...
mutate {
     gsub => [ "timestamp", "CEST", "" ]
}
date {
       match => ["timestamp", "MM/dd/yyyy KK:mm:ss:SSS aa" , "MM/dd/yyyy hh:mm:ss:SSS a",   "MM/dd/yyyy KK:mm:ss:SSS"]
       target => "@timestamp"
}
...

But I always receive the message _dateparsefailure

t   message	amPolicy:05/16/2019 05:47:31:262 AM CEST: Thread[http-nio-8080-exec-14,5,main]
t   tags	openamlogs, _dateparsefailure
t   timestamp	05/16/2019 05:47:31:262 AM

Thanks for help
H.

Badger · May 16, 2019, 12:33pm

If you started with this then you removed the CEST but not the trailing space, so your timestamp field is

"05/16/2019 05:47:31:262 AM "

which does not match your pattern. Change the gsub to match

" CEST"

hassen_k · May 16, 2019, 12:48pm

It is working.

Thanks a lot
H.

system · June 13, 2019, 12:48pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.