Logstash grok timestamp from message: issue with multiple timestamp format

sunilmchaudhari · July 16, 2015, 11:27am

Hi
I am taking out timestamp field from message and setting it as eventTime as new field.
below is the code I am using.

grok { 
    match => { "message" => "%{TIMESTAMP_ISO8601:eventTime}" } 
  }
  date { 
    match => [ "eventTime", "YYYY-MM-dd HH:mm:ss"]
	target => "eventTime"
  }

there is one problem with this. It only works with the record which has YYYY-MM-dd HH:mm:ss format. It throws "java.lang.IllegalArgumentException: Invalid format:" exception for logs having different format.

I have many clients with different time formats. I don't want to write too many if else in the filter. Any other option?
Please guide me on this, how to solve this issue?

thanks
Sunil

magnusbaeck · July 16, 2015, 11:50am

The date filter accepts multiple date patterns and tries hem in order until it gets a match. See the documentation of the match parameter.

Topic		Replies	Views
Logstash date extraction help Logstash	3	612	December 26, 2016
Date AM/PM format - Logstash filter date parse error Logstash	1	1751	July 6, 2017
message=>"Failed parsing date from field", :field=>"timestamp", :value=>"2016-09-14 15:43:48.258000", :exception=>"Invalid format: \"2016-09-14 15:43:48.258000\"", Logstash	3	1320	July 6, 2017
Extract datatime in log and convert in datatime field? Logstash	3	143	November 16, 2022
_dateparsefailure when trying to overwrite @timestamp Logstash	8	146	June 7, 2024

Logstash grok timestamp from message: issue with multiple timestamp format

Related Topics