Logstash regex option for match settings!

gugansankar · September 10, 2016, 9:04am

In my settings, JSON is an input data. I tried to use log timestamp as index @timestamp value. Its working for normal json too.

But regex not working for nested json timestamp field match.

Here is my config.

	date {
			match => ["[a-zA-Z0-9][timestamp]", "YYYY-MM-dd HH:mm:ss"]
			target => "@timestamp"
                    }

Log file example:
{"SRV1": {"timestamp": "2016-09-09 00:30:40", "cpu": 90, "mem": 45, "disk_free": 50}}
{"SRV2": {"timestamp": "2016-09-09 00:30:40", "cpu": 80, "mem": 43, "disk_free": 64}}

Fyi,
This below configuration is working , but I have a 200 servers and its not possible to put 200 entries in the configuration. So I prefer to use regex on match settings.

	date {
			match => ["[SRV1][timestamp]", "YYYY-MM-dd HH:mm:ss"]
			target => "@timestamp"
                    }
	date {
			match => ["[SRV2][timestamp]", "YYYY-MM-dd HH:mm:ss"]
			target => "@timestamp"
                    }

magnusbaeck · September 11, 2016, 8:04pm

This kind of regular expression matching isn't supported. I suggest you use a ruby filter to normalize each event by moving the server subfields (timestamp, cpu, mem, ...) into the top level of the event, or just rename the server name field to something consistent.

Topic		Replies	Views
Logstash Does not extract timestamp from JSON Logstash	6	4947	July 6, 2017
Match timestamp and assign it as @datetime field Logstash	4	1224	December 4, 2016
Date Match is setting incorrect timestamp / not actually setting timestamp Logstash	6	376	February 24, 2021
Cannot get date to match timestamp after xml parsing Logstash	3	753	July 6, 2017
_dateparsefailure when trying to overwrite @timestamp Logstash	8	147	June 7, 2024

Logstash regex option for match settings!

Related topics