Logstash Date Filter Not Working with tab

Atul_Gunjal · April 16, 2020, 10:50am

I need to parse event and time separated by tab using the date filter in logstash, but logstash failed to identify tab and gives an error

 grok{
      patterns_dir => ["./patterns"]
      match => { "message" => "%{TIMEFORMAT:eventtime}\t%{WORD:typedata}\t%{WORD:loglevel}\t%{TIME}\t%{HOSTNAME:hostmachine}\t%{GREEDYDATA:serviceinfo}\t%{SERVMSG}" }
    }

    date{
      match=>["eventtime","yyyy-MM-dd\tHH:mm:ss"]
    }
  }

TIMEFORMAT %{YEAR}-%{MONTHNUM}-%{MONTHDAY}\t%{TIME}
COMP %{WORD:componenttype}\t%{GREEDYDATA:logmessage}
SERVMSG %{COMP}|\t%{GREEDYDATA:logmessage}
SERVICEDATA %{WORD:environment}\\%{GREEDYDATA:machine}\|%{POSINT:PID}\|%{GREEDYDATA:service}

"Unable to configure plugins: Illegal pattern component: t"

So, How can I create the mapping for eventtime to date in logstash?

Badger · April 16, 2020, 1:45pm

Use a literal tab in the configuration file.

Atul_Gunjal · April 17, 2020, 4:41am

date{
      match=>["eventtime","yyyy-MM-dd'\t'HH:mm:ss"]
      target=>["eventtime"]
    }

I tried this but it didn't work but error is now gone but eventtime is still string type and not date.

Badger · April 17, 2020, 2:52pm

If you already indexed documents in elasticsearch where eventtime is a string then all subsequent documents will have it as a string until you roll over to a new index.

system · May 15, 2020, 2:52pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.