You can clear the date filter's tag_on_failure option to avoid the _dateparsefailure tag. If you want to keep that tag if none of the filters matched that's possible but will require a bunch of conditionals and probably a few mutate filters.
Thanks for the info! didn't grasp that tag_on_failure was the right thing for me
Works for me now.
I just noticed one of the patterns is still wrong - the time contains microseconds - which it looks like can't be parsed using logstash/jodatime.
What can I do to match the rest of the date/time?
Fri Mar 02 10:03:03.048488 2018
date {
match => [ "timestamp", "EEE MMM dd HH:mm:ss.SSS**SSS** yyyy" ]
tag_on_failure => [ ]
}
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.