Logstash filter not working for @timestamp

justx · February 2, 2017, 5:17pm

I am having a devil of a time figuring out how to configure my Logstash filter options to correctly parse the timestamp from the event into the @timestamp field.

Im sure im doing something wrong that is simple, I just cant see it. Each time I enter sample input The @timestamp value does not update correctly. any help would be appreciated

Test config:

input { stdin {} }

filter{

if [type] == "ssl_request" {
    grok{
        match => [ "message", '\[%{HTTPDATE:timestamp}\] %{IPORHOST:client} %{NOTSPACE:protocol} %{NOTSPACE:cipher} "(%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})"']
    }
    date { 
        match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
        target => "@timestamp"
    }        
}

}

output {
stdout {codec => json }
}

test input:
[02/JAN/2017:01:29:45 -0500] 10.1.1.1 TLSv1 RC4-SHA "POST /path/2/webservice/url HTTP/1.1" 27

output:
Pipeline main started
[02/JAN/2017:01:29:45 -0500] 10.1.1.1 TLSv1 RC4-SHA "POST /path/2/webservice/url HTTP/1.1" 27
{"message":"[02/JAN/2017:01:29:45 -0500] 10.1.1.1 TLSv1 RC4-SHA "POST /path/2/webservice/url HTTP/1.1" 27","@version":"1","@timestamp":"2017-02-02T17:13:46.383Z","host":"server_name"}[02/JAN/2017:01:29:45 -0500] 10.1.1.1 TLSv1 RC4-SHA "POST /path/2/webservice/url HTTP/1.1" 27
{"message":"[02/JAN/2017:01:29:45 -0500] 10.1.1.1 TLSv1 RC4-SHA "POST /path/2/webservice/url HTTP/1.1" 27","@version":"1","@timestamp":"2017-02-02T17:13:54.207Z","host":"server_name"}

magnusbaeck · February 2, 2017, 9:16pm

What do you get in @timestamp? What did you expect to get?

The problem could be the uppercase month name. Have you inspected the Logstash log? The filter will indicate what it didn't like when trying to match the pattern.

system · March 2, 2017, 9:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.