Logstash grok

KaPBaJIOJI · August 9, 2021, 8:59am

Good afternoon to everyone, my question is quite simple, but I'm still quite new to the elk stack. it is necessary to digest the expression through the grok filter

Mon Aug  9 15:18:25 +07 2021 mail 0

the date passes normally

%{SYSLOGTIMESTAMP}

then need to exclude the following columns +07 and 2021

if I delete these columns +07 and 2021, then the filter passes
and

%{SYSLOGTIMESTAMP} %{HOSTNAME}

it s works
but I need the grok filter to recognize the date itself, delete the columns +07 2021 and then recognize the hostname and the number.
I apologize if I wrote in a confused way.
p.s.
i am changed format date, now it has the form
Mon Aug 9 17:21:26 mail 0

The topic can be closed
my filter
%{SYSLOGTIMESTAMP} %{HOSTNAME} %{NUMBER:value:int} work))

aaron-nimocks · August 9, 2021, 12:59pm

The SYSLOGTIMESTAMP is a built in pattern that really means %{MONTH} +%{MONTHDAY} %{TIME}. As you can see this doesn't match your pattern and you can create your own like in the example below.

(?<timestamp>%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{DATA} %{YEAR}) %{DATA:hostname} %{NUMBER:value:int}

Grok Pattern Reference

KaPBaJIOJI · August 10, 2021, 3:19am

Thanks for help, rly your example work, just need to add a space between
%{MONTH} %{MONTHDAY}
Thankyou

Badger · August 10, 2021, 3:23am

Well, you more likely want

%{MONTH} +%{MONTHDAY}

which will match "one or more" spaces between the month and the day.

KaPBaJIOJI · August 10, 2021, 3:28am

Thanks for help

system · September 7, 2021, 3:28am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.