Logstash grok timestamp from message: issue with multiple timestamp format

sunilmchaudhari · July 16, 2015, 11:27am

Hi
I am taking out timestamp field from message and setting it as eventTime as new field.
below is the code I am using.

grok { 
    match => { "message" => "%{TIMESTAMP_ISO8601:eventTime}" } 
  }
  date { 
    match => [ "eventTime", "YYYY-MM-dd HH:mm:ss"]
	target => "eventTime"
  }

there is one problem with this. It only works with the record which has YYYY-MM-dd HH:mm:ss format. It throws "java.lang.IllegalArgumentException: Invalid format:" exception for logs having different format.

I have many clients with different time formats. I don't want to write too many if else in the filter. Any other option?
Please guide me on this, how to solve this issue?

thanks
Sunil

magnusbaeck · July 16, 2015, 11:50am

The date filter accepts multiple date patterns and tries hem in order until it gets a match. See the documentation of the match parameter.

Topic		Replies	Views
Date parsing issue for getting timestamp Logstash	4	1247	May 18, 2017
Multiple timestamped log file format Logstash	7	371	May 6, 2019
Multiple Date formats in one file Logstash	4	2512	June 20, 2017
Logstash - Filtering multiple date formats - date_time_parse_exception Logstash	1	461	November 12, 2019
Logstash date extraction help Logstash	3	612	December 26, 2016

Logstash grok timestamp from message: issue with multiple timestamp format

Related topics