Logstash date parsing and convert

Pawel_Mazurek · February 12, 2020, 2:28pm

Hi
I have some issue with proper parsing string with date value.

In my log i have timestamp like this => Mon, 10 Feb 2020 09:22:04 CET

Now i want to parse this values and create some string field and after all i want to convert it to date field.

So i have filter like this below

filter
{
if "int_prod_MessageLogger" in [log][file][path]
{
grok {
match => { "message" => "(?<system_timestamp>[A-z]{3},\s[0-9]{1,2}\s[A-z]{3}\s\d{4}\s%{TIME}\s[A-Z]{1,5})"}
}
}
date {
match => [ "ystem_timestamp", "EEE, dd MMM yyyy hh:mm:ss z"]
#_system_timestamp" => "Mon, 10 Feb 2020 09:16:00 CET"
target => "@timestamp"
timezone=>"Europe/Warsaw"
}
}

I tried to parse with or withoute timezone set but still not works at all.

My goal is to to have it this timevalue as a main time index in elastic.

I will be grateful for any hints.

Best Regards

Badger · February 12, 2020, 3:00pm

You probably want to use [A-Za-z] rather than [A-z], since the upper and lower case letters are not contiguous blocks.

Also

match => [ "ystem_timestamp", "EEE, dd MMM yyyy hh:mm:ss z"]

That should be system_timestamp, not ystem_timestamp.

Pawel_Mazurek · February 12, 2020, 3:09pm

Badger:

Pawel_Mazurek:

[A-z]

You probably want to use [A-Za-z] rather than [A-z], since the upper and lower case letters are not contiguous blocks.

Also
match => [ "ystem_timestamp", "EEE, dd MMM yyyy hh:mm:ss z"]
That should be system_timestamp, not ystem_timestamp.

Yeah this is a copy paste error. My original (not working config ;)) has a system_timestamp.
Plus i corrected regexp and still have a dateparsefailure :(.

system · March 11, 2020, 3:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.