Hi All,
I am also facing the same problem Logstash is not considering my log date rather making the date at which I am forwarding the logs as @timeStamp field.
I am using
date {
match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS Z" ]
}Okay, but what's in your logdate field? And what's in the Logstash log? If a date pattern won't match it'll usually point you to where the error is.
@magnusbaeck I have logs which have the below pattern
LOGS
2015-02-04 14:28:30,375 +0000
Logstash Config
grok {
match => ["message", "%{Name:name} %{WORD:role} %{xyz_DATE:logdate}"]
patterns_dir => "/etc/logstash/patterns"
}
date {
match => [ "logdate", "YYYY-MM-dd HH:mm:ss,SSS Z" ]
target => "@timestamp"
}
Pattern to match date field : (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3} [+-]\d{4})
I have checked the logstash log , I haven't getting any parsing error , Hence I assumed the date is parse correctly . Moreover I have checked in kibana my "logDate" field is correctly populated.
I can't reproduce with Logstash 1.5.3:
$ cat test.config
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
date {
match => ["message", "YYYY-MM-dd HH:mm:ss,SSS Z"]
}
}
$ echo '2015-02-04 14:28:30,375 +0000' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
{
"message" => "2015-02-04 14:28:30,375 +0000",
"@version" => "1",
"@timestamp" => "2015-02-04T14:28:30.375Z",
"host" => "hallonet"
}
Logstash shutdown completed@magnusbaeck I have run the above example in my environment , I am getting the results as you are.
I have found the error , All the logs for which there is grokparse failure logstash is assigning the current date(Which is understandable)
Thanks for all your help.