Match error grok filter

Good morning!

I'm trying to set up a grok filter to a pipeline which receives the following text:

09/10/2021, 8:30:00 AM [Message]

therefore the date format is: Month/Day/Year, Hour:Minutes:Seconds

The grok filter looks like this:

   grok {
    match => { "message" => "(?<custom_date>%{MONTHNUM}/%{MONTHDAY}/%{YEAR}, %{HOUR}:%{MINUTE}:%{SECOND})"}
    tag_on_failure => ["no_date_found"]
   }

but I can't get logstash to recognise that date correctly. What I have to change in the match expresion to fix this? Thank you !!

Hi,

Can you add stdout { codec => rubydebug } to the output part and show us the result when you have a no_date_found please.
Because currently the grok pattern work.

Cad.

Hi Miguel,

you missed to give the expression for AM , message after the time because of which grok failed to match the message.

use the below grok pattern it should work.

   grok {
    match => { "message" => "(?<custom_date>%{MONTHNUM}/%{MONTHDAY}/%{YEAR}, %{HOUR}:%{MINUTE}:%{SECOND} %{WORD})%{GREEDYDATA:actual_message}"}
    tag_on_failure => ["no_date_found"]
   }

grok does not need to consume the entire field it is matching against. The grok pattern that Miguel gave matches "09/10/2021, 8:30:00", and when tested in logstash it matches.

Consuming the AM affects the value of the timestamp (at least when it is PM) but does not prevent the grok pattern matching.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.