Logstash date formatting

pastechecker · August 23, 2018, 3:02pm

Hello.
I have following loglines:

Aug 22 10:19:48 s1435 postfix/smtp[17330]: 28C1328124A4: to=jacobsd@gmail.com, relay=smtp2.google.com[194.14.9.134]:25, delay=1100, delays=0/1100/0.13/0.26, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued as 4FDD469A41_B7D1CA4F)

My filter is:

input {
file {
path => "/etc/logstash/conf.d/myfile.log"
start_position => "beginning"
}
}

filter {
grok {
match => { "message" => "^%{SYSLOGTIMESTAMP}\s%{DATA}<%{DATA:email}>%{GREEDYDATA}" }
}
}

Is there a way to use this syslogtimestamp as a @timestamp to use the upper-right time filtering capability in Kibana?

magnusbaeck · August 23, 2018, 6:23pm

Yes, use a date filter. See https://www.elastic.co/guide/en/logstash/current/config-examples.html for an example.

Your grok expression is inefficient and potentially buggy. Don't use more than one DATA or GREEDYDATA pattern in the same expression.

pastechecker · August 24, 2018, 9:15am

Thanks for the hint.

Working configuration is:

filter {
grok { match => { "message" => "^%{SYSLOGTIMESTAMP:logdate} %{DATA:direction} %{DATA:email_address}$" }}
date {
match => [ "logdate", "MMM dd HH:mm:ss" ]
}
}

system · September 21, 2018, 9:15am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.