Logstash Grok Pattern for Timestamp with Timezone

Elastic Stack Logstash
1

Hi,

I am trying to match following logs for icinga2 using grok filter:

[2021-03-04 17:03:27 +0100] warning/GraphiteWriter: Ignoring invalid perfdata for checkable 'host!service' and command 'by_ssh' with value: /foo/bar=4242MiB;9203;9714;0;10226
Context:
	(0) Processing check result for 'host!service'

I am trying to use following grok expression:

%{TIMESTAMP_ISO8601:timestamp}] %{WORD:log_level}/%{WORD:component}: %{GREEDYDATA:message}, which fails because of the "wrong" timestamp format.

As soon as I remove +0100 from the timestamp the filter works (except of the broken multilines).

[2021-03-04 17:03:27] warning/GraphiteWriter: Ignoring invalid perfdata for checkable 'host!service' and command 'by_ssh' with value: /foo/bar=4242MiB;9203;9714;0;10226
Context:
	(0) Processing check result for 'host!service'

becomes:

{
  "component": "GraphiteWriter",
  "log_level": "warning",
  "message": "Ignoring invalid perfdata for checkable 'host!service' and command 'by_ssh' with value: /foo/bar=4242MiB;9203;9714;0;10226\r",
  "timestamp": "2021-03-04 17:03:27"
}

Is there any other timestamp filter I can use to parse the date correctly?

Thanks

2

That pattern does not allow a space before the timezone. You could use mutate+gsub to remove it.

mutate { gsub => [ "message", "(:\d\d) (+\d{4}\])", "\1\2" ] }
1 Like
3

Hey, thanks for the hint. Unfortunatelly this ends up in an error:

RegexpError: target of repeat operator is not specified: /(:\d\d) (+\d{4}\])/>

Did you ment (:\d\d) (\+\d{4}\]) for the regex pattern, because this works fine. Thank you!

4

Yes. + is a meta-character that means "one or more" of the preceding character. Since it is the first character inside the capture group (parentheses) there is no target for it. You do indeed need to escape it.

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.