Logstash timestamp parse failed

Timofey_Gusev · August 23, 2018, 11:29am

I use logstash to store all logs from different nodes in one place. So, I use logback.xml on the node side and logstash udp listener on the other. In logback I use LogstashSocketAppender, so as I know I can't set up logs views. On the logstash side I try to parse @timestamp pararm to normal view, but I failed in this. So, I use filter and mutate to add one more same as timestamp param and try to parse it like this

 filter {
   mutate {
    add_field => { "logstash_timestamp"=> "%{@timestamp}" }
}  
 date {
match => [ "logstash_timestamp1", "YYYY-MM-dd HH:mm:ss" ]
tag_on_failure => ["timestamp_parse_failed"]
target => "logstash_timestamp"
}
}

How can I correctly get timestamp with my pattern?

This is my logback appender

<appender name="stash"  class="net.logstash.logback.appender.LogstashSocketAppender">
    <syslogHost>localhost</syslogHost>
    <port>12345</port>
</appender>

The result of my parse is: 2018-08-23T11:22:11.863

magnusbaeck · August 23, 2018, 6:21pm

I don't understand. Does the timestamp in @timestamp really have the form "YYYY-MM-dd HH:mm:ss"? Why is the date filter set up to parse logstash_timestamp1? Did you mean logstash_timestamp?

system · September 20, 2018, 6:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.