Need help with the grok and the date filter for parsing logs

Gaurav_Singh1 · June 2, 2017, 1:33pm

Below is the json one :

{
"_index": "splunk",
"_type": "logs",
"_id": "AVxn5KYXN2Qa6z_B1oMa",
"_score": 1,
"_source": {
"Status": "Resolved",
"Message2": "1",
"Message1": "Up",
"ConfigItem": "nypl-mt4.iii.com",
"Time": "Monday, May 15, 2017 12:54 PM",
"Severity": "Warning",
"message": "Time=Monday, May 15, 2017 12:54 PM;Source=APM;Status=Resolved;Severity=Warning;Location=SYRDC-TO;ConfigItem=nypl-mt4.iii.com;Alert=III-TO - HTTP Check for Encore;Message1=Up;Message2=1",
"Source": "APM",
"path": "/opt/capital.log",
"@timestamp": "2017-05-15T12:54:00.000Z",
"@version": "1",
"host": "b3b3ecef78ac",
"Alert": "III-TO - HTTP Check for Encore",
"Location": "SYRDC-TO"
},
"fields": {
"@timestamp": [
1494852840000
]
}
}

And this is from the table one :

@timestamp May 15th 2017, 18:24:00.000
t @version 1
t Alert III-TO - HTTP Check for Encore
t ConfigItem nypl-mt4.iii.com
t Location SYRDC-TO
t Message1 Up
t Message2 1
t Severity Warning
t Source APM
t Status Resolved
t Time Monday, May 15, 2017 12:54 PM
t _id AVxn5KYXN2Qa6z_B1oMa
t _index splunk

_score 1

t _type logs
t host b3b3ecef78ac
t message Time=Monday, May 15, 2017 12:54 PM;Source=APM;Status=Resolved;Severity=Warning;Location=SYRDC-TO;ConfigItem=nypl-mt4.iii.com;Alert=III-TO - HTTP Check for Encore;Message1=Up;Message2=1
t path /opt/capital.log

Gaurav_Singh1 · June 2, 2017, 1:34pm

these logs are in PST and I am in IST.

magnusbaeck · June 2, 2017, 1:47pm

If the logs are PST (I actually think you mean PDT) then "Monday, May 15, 2017 12:54" should be transformed to 2017-05-15T19:54Z. Perhaps the timezone isn't correctly set in your Docker container? You can use the date filter's timezone option to force it to America/Los_Angeles or whatever is most appropriate in your case.

Gaurav_Singh1 · June 27, 2017, 10:50am

Hi Magnus,

Need help on the input of logstash , as I want to visualize performance data of solarwind server in real time.

What would be the possible choices for getting the data as input in logstash ? (As solarwind is a windows server and my ELK stack is running on docker on a centos7 machine)

Regards,
Gaurav Singh

magnusbaeck · June 27, 2017, 11:34am

You could use Filebeat on the Windows machine to ship the log files to Logstash.

Gaurav_Singh1 · June 27, 2017, 12:15pm

Will it work in real time as well ?

magnusbaeck · June 27, 2017, 12:23pm

Yes.

Gaurav_Singh1 · June 27, 2017, 2:47pm

Can we go with the Winscp option ?

magnusbaeck · June 27, 2017, 2:56pm

I don't know what "the Winscp option" means.

system · July 25, 2017, 2:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.