Match error grok filter

mar-ro · September 10, 2021, 8:55am

Good morning!

I'm trying to set up a grok filter to a pipeline which receives the following text:

09/10/2021, 8:30:00 AM [Message]

therefore the date format is: Month/Day/Year, Hour:Minutes:Seconds

The grok filter looks like this:

   grok {
    match => { "message" => "(?<custom_date>%{MONTHNUM}/%{MONTHDAY}/%{YEAR}, %{HOUR}:%{MINUTE}:%{SECOND})"}
    tag_on_failure => ["no_date_found"]
   }

but I can't get logstash to recognise that date correctly. What I have to change in the match expresion to fix this? Thank you !!

Cad · September 10, 2021, 10:04pm

Hi,

Can you add stdout { codec => rubydebug } to the output part and show us the result when you have a no_date_found please.
Because currently the grok pattern work.

Cad.

chandu5565 · September 11, 2021, 3:18pm

Hi Miguel,

you missed to give the expression for AM , message after the time because of which grok failed to match the message.

use the below grok pattern it should work.

   grok {
    match => { "message" => "(?<custom_date>%{MONTHNUM}/%{MONTHDAY}/%{YEAR}, %{HOUR}:%{MINUTE}:%{SECOND} %{WORD})%{GREEDYDATA:actual_message}"}
    tag_on_failure => ["no_date_found"]
   }

Badger · September 11, 2021, 3:24pm

grok does not need to consume the entire field it is matching against. The grok pattern that Miguel gave matches "09/10/2021, 8:30:00", and when tested in logstash it matches.

Consuming the AM affects the value of the timestamp (at least when it is PM) but does not prevent the grok pattern matching.

system · October 9, 2021, 3:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date Filter Doesn't Work Logstash	6	923	November 2, 2018
Logstash timestamp issue Logstash	4	486	March 6, 2017
__dateparsefailure trying match date Logstash	2	422	October 14, 2017
Date filter issues Logstash	3	485	July 6, 2017
Date format match Logstash	5	390	July 10, 2018

Match error grok filter

Related topics