I am trying to config logstash parse the log with 3 field : date & time (dts), Log level (lvl) and rest message.
But the out put always show timestamp is not correct, timestamp i want to show is the time in the log error but it show the time of local machine. Please give me advice. Below are logstash conf anf the output FYI
-> The error sample is: 2022-03-15 12:42:28.5801 INFO 1 Com.Bmc.Ctmem.EmCSInfrustructure.EMFoundations.GetEMLogLocation C:\Program Files\BMC Software\Control-M EM\CBMTCTCAPR01_0\log\
0711 06:40:23.726:pid=119813:ERR:../../proto/ssl/openssl_tls.c:359:SSLsess=2472cd0:SSL_connect:SSL_ERROR_SYSCALL: write error system error 104
My grok:
%{MONTHNUM:month}%{MONTHDAY:day}%{SPACE}%{TIME:time}%{NOTSPACE}%{LOGLEVEL:LVL}%{GREEDYDATA:REST}
output can not get pid. Could you please give advice. Thanks
[
{
"month": 7,
"day": 11,
"time": "06:40:23.726",
"LVL": "ERROR",
"REST": "_SYSCALL: write error system error 104"
}
]
Thanks @Badger . it is working with grok below:
?%{MONTHNUM:month}%{MONTHDAY:day}%{SPACE}%{TIME:time})%{DATA:PID}%{SPACE}%{LOGLEVEL:LVL}%{GREEDYDATA:REST}
Could you advice for another sample below. it's contained AM/PM format:
"Jul 11, 2022 6:44:49 AM org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi getDefaultTrustStore INFO: Initializing with trust store at path: /app/ctrlm-agent/ctm/cm/AFT/JRE_11/lib/security/cacerts"
Define a custom pattern for the grok and then parse it in the date filter using MMM dd, yyyy hh:mm:ss a. (Note hh rather than HH since this is hour of the half-day.)
I tried:
(?%{MONTH:month} %{MONTHDAY:day}, %{YEAR:year} %{TIME} (AM|PM)) %{GREEDYDATA:rest} . Can get the correct date output. Can you advice how i can split Loglevel INFO and "org.bouncycastle.jsse.provider.ProvTrustManagerFactorySpi getDefaultTrustStore" -> i don't know how can define this one
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.