Logstash date extraction help

FrankC · November 23, 2016, 4:35pm

Hello,

I am stuck with logstash and need a little help. Each line starts with the event time stamp is multiline.

Message:

Tue Nov 01 00:07:24 2016
Thread 1 advanced to log sequence 1234 (foo)
Current log# 2 seq# 1234 mem# 0: log_file_path
Current log# 2 seq# 1234 mem# 1: log_file_path
Tue Nov 01 00:07:25 2016
xyz: some data

Step 1: Im using this multiline codec in the input section to merge lines... this seems to work when looking at stdout

multiline {
pattern => "%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR}"
negate => true
what => "previous"
}

Step 2: I want to extract the date & time and replace @timestamp with it.

I am stuck here. I know I need to use the date filter but I cannot get any pattern to work wit the date format.

Thanks,
Frank

magnusbaeck · November 24, 2016, 8:54am

What you have tried so far? The date filter logs any parsing errors. What does it say?

FrankC · November 28, 2016, 4:33am

Hi,

After researching (mostly to learn GROK) it looks like this is working...

The log file always starts with a date (format: Tue Nov 01 00:00:00 2016)

grok {
match => [ "message", "^(?%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})" ]
}

Now that I have the log time in the timestamp field I used the date match filter to replace the @timestamp field.

date {
match => [ "timestamp","E MMM dd HH:mm:ss yyyy" ]
timezone => "UTC"
remove_field => "timestamp"
}

If there is an better way please let me know.

Regards,
Frank

Topic		Replies	Views
Parsing Log With grok Filter Logstash	11	3938	May 9, 2017
Logstash date extraction in logs Logstash	17	3439	April 10, 2019
Timestamp => @timestamp Logstash	17	4163	June 14, 2017
Help with Date Logstash	6	642	December 16, 2016
Cannot parse logs with date filter Logstash	4	908	October 18, 2017

Logstash date extraction help

Related topics