Match error grok filter

mar-ro · September 10, 2021, 8:55am

Good morning!

I'm trying to set up a grok filter to a pipeline which receives the following text:

09/10/2021, 8:30:00 AM [Message]

therefore the date format is: Month/Day/Year, Hour:Minutes:Seconds

The grok filter looks like this:

   grok {
    match => { "message" => "(?<custom_date>%{MONTHNUM}/%{MONTHDAY}/%{YEAR}, %{HOUR}:%{MINUTE}:%{SECOND})"}
    tag_on_failure => ["no_date_found"]
   }

but I can't get logstash to recognise that date correctly. What I have to change in the match expresion to fix this? Thank you !!

Cad · September 10, 2021, 10:04pm

Hi,

Can you add stdout { codec => rubydebug } to the output part and show us the result when you have a no_date_found please.
Because currently the grok pattern work.

Cad.

chandu5565 · September 11, 2021, 3:18pm

Hi Miguel,

you missed to give the expression for AM , message after the time because of which grok failed to match the message.

use the below grok pattern it should work.

   grok {
    match => { "message" => "(?<custom_date>%{MONTHNUM}/%{MONTHDAY}/%{YEAR}, %{HOUR}:%{MINUTE}:%{SECOND} %{WORD})%{GREEDYDATA:actual_message}"}
    tag_on_failure => ["no_date_found"]
   }

Badger · September 11, 2021, 3:24pm

grok does not need to consume the entire field it is matching against. The grok pattern that Miguel gave matches "09/10/2021, 8:30:00", and when tested in logstash it matches.

Consuming the AM affects the value of the timestamp (at least when it is PM) but does not prevent the grok pattern matching.

system · October 9, 2021, 3:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.