Logstash date extraction help

Hello,

I am stuck with logstash and need a little help. Each line starts with the event time stamp is multiline.

Message:

Tue Nov 01 00:07:24 2016
Thread 1 advanced to log sequence 1234 (foo)
Current log# 2 seq# 1234 mem# 0: log_file_path
Current log# 2 seq# 1234 mem# 1: log_file_path
Tue Nov 01 00:07:25 2016
xyz: some data

Step 1: Im using this multiline codec in the input section to merge lines... this seems to work when looking at stdout

multiline {
pattern => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
negate => true
what => "previous"
}

Step 2: I want to extract the date & time and replace @timestamp with it.

I am stuck here. I know I need to use the date filter but I cannot get any pattern to work wit the date format.

Thanks,
Frank

What you have tried so far? The date filter logs any parsing errors. What does it say?

Hi,

After researching (mostly to learn GROK) it looks like this is working...

The log file always starts with a date (format: Tue Nov 01 00:00:00 2016)

grok {
match => [ "message", "^(?%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})" ]
}

Now that I have the log time in the timestamp field I used the date match filter to replace the @timestamp field.

date {
match => [ "timestamp","E MMM dd HH:mm:ss yyyy" ]
timezone => "UTC"
remove_field => "timestamp"
}

If there is an better way please let me know.

Regards,
Frank

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.