Logstash grok

KaPBaJIOJI · August 9, 2021, 8:59am

Good afternoon to everyone, my question is quite simple, but I'm still quite new to the elk stack. it is necessary to digest the expression through the grok filter

Mon Aug  9 15:18:25 +07 2021 mail 0

the date passes normally

%{SYSLOGTIMESTAMP}

then need to exclude the following columns +07 and 2021

if I delete these columns +07 and 2021, then the filter passes
and

%{SYSLOGTIMESTAMP} %{HOSTNAME}

it s works
but I need the grok filter to recognize the date itself, delete the columns +07 2021 and then recognize the hostname and the number.
I apologize if I wrote in a confused way.
p.s.
i am changed format date, now it has the form
Mon Aug 9 17:21:26 mail 0

The topic can be closed
my filter
%{SYSLOGTIMESTAMP} %{HOSTNAME} %{NUMBER:value:int} work))

aaron-nimocks · August 9, 2021, 12:59pm

The SYSLOGTIMESTAMP is a built in pattern that really means %{MONTH} +%{MONTHDAY} %{TIME}. As you can see this doesn't match your pattern and you can create your own like in the example below.

(?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{DATA} %{YEAR}) %{DATA:hostname} %{NUMBER:value:int}

Grok Pattern Reference

KaPBaJIOJI · August 10, 2021, 3:19am

Thanks for help, rly your example work, just need to add a space between
%{MONTH} %{MONTHDAY}
Thankyou

Badger · August 10, 2021, 3:23am

Well, you more likely want

%{MONTH} +%{MONTHDAY}

which will match "one or more" spaces between the month and the day.

KaPBaJIOJI · August 10, 2021, 3:28am

Thanks for help

system · September 7, 2021, 3:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Apply filters Logstash	3	246	May 10, 2023
_dataparsefailure in tags Logstash	9	1475	October 22, 2019
How should I filter this date? Logstash	2	260	September 9, 2021
Strugging with the date filter Logstash	3	531	July 25, 2018
Dateparsefailure - Mac Syslogs Logstash	3	333	June 4, 2018

Logstash grok

Related topics