Logstash date extraction help

FrankC · November 23, 2016, 4:35pm

Hello,

I am stuck with logstash and need a little help. Each line starts with the event time stamp is multiline.

Message:

Tue Nov 01 00:07:24 2016
Thread 1 advanced to log sequence 1234 (foo)
Current log# 2 seq# 1234 mem# 0: log_file_path
Current log# 2 seq# 1234 mem# 1: log_file_path
Tue Nov 01 00:07:25 2016
xyz: some data

Step 1: Im using this multiline codec in the input section to merge lines... this seems to work when looking at stdout

multiline {
pattern => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
negate => true
what => "previous"
}

Step 2: I want to extract the date & time and replace @timestamp with it.

I am stuck here. I know I need to use the date filter but I cannot get any pattern to work wit the date format.

Thanks,
Frank

magnusbaeck · November 24, 2016, 8:54am

What you have tried so far? The date filter logs any parsing errors. What does it say?

FrankC · November 28, 2016, 4:33am

Hi,

After researching (mostly to learn GROK) it looks like this is working...

The log file always starts with a date (format: Tue Nov 01 00:00:00 2016)

grok {
match => [ "message", "^(?%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})" ]
}

Now that I have the log time in the timestamp field I used the date match filter to replace the @timestamp field.

date {
match => [ "timestamp","E MMM dd HH:mm:ss yyyy" ]
timezone => "UTC"
remove_field => "timestamp"
}

If there is an better way please let me know.

Regards,
Frank

system · December 26, 2016, 4:33am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.