Logstash grok timestamp from message: issue with multiple timestamp format

Elastic Stack Logstash
1

Hi
I am taking out timestamp field from message and setting it as eventTime as new field.
below is the code I am using.

grok { 
    match => { "message" => "%{TIMESTAMP_ISO8601:eventTime}" } 
  }
  date { 
    match => [ "eventTime", "YYYY-MM-dd HH:mm:ss"]
	target => "eventTime"
  }

there is one problem with this. It only works with the record which has YYYY-MM-dd HH:mm:ss format. It throws "java.lang.IllegalArgumentException: Invalid format:" exception for logs having different format.

I have many clients with different time formats. I don't want to write too many if else in the filter. Any other option?
Please guide me on this, how to solve this issue?

thanks
Sunil

2

The date filter accepts multiple date patterns and tries hem in order until it gets a match. See the documentation of the match parameter.

1 Like