Need to create a timestamp by concatenating the fields

Elastic Stack Logstash
1

log file : INFO [Thread-6] (newcleintt.java:1400) - Trying to connect to broker: local-broker (ssl://localhost:1234)

filter used :

 grok {
                           match => {"message" => "%{LOGLEVEL:loglevel} \{%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second},%{INT}\} %{GREEDYDATA:message}"}
                           overwrite => [ "message"]
                           
                         }
mutate {
  add_field => {"logtimeStamp" => "%{year}-%{month}-%{day} %{hour}:%{minute}:%{second}"}
  }

mutate {
remove_field => [ "year", "month", "day", "hour", "minute", "second" ]
}

mutate {
        split => ["host", "."]
        add_field => { "hostname" => "%{[host][0]}" }
        add_field => { "myName" => "%{[host][1]}" }
        add_field => { "ignore" => "%{[host][2]}" }
        remove_field => ["ignore", "host"]
    }	
	
mutate {
remove_field => ["@timestamp", "@version"]
}

"message" => "8PRF/abcbcbcbcbcbcbcbcbcO0tlFYQXBl",
"myName" => "abc-a7",
"tags" => [
[0] "_grokparsefailure"
],
"logtimeStamp" => "%{year}-%{month}-%{day} %{hour}:%{minute}:%{second}",
"hostname" => "abc-br-01abcdef",
"type" => "abc",
"path" => "/abc/logs/abc.log.3"

The logtimeStamp is not changed and there is grokparse failure.

2

Your log file does not contain a date, so grok is never going to match it.

3

Sorry : This is the log file INFO {2020-03-25 01:14:54,270} [Thread-5] (Client.java:1407) - Client connected to broker: local-mybrokerr (ssl://localhost:1234)

4

Except it is not, is it...

5

That was the different field what i shared.
message: [Thread-5] (Client.java:1407) - Client connected to broker: local-mybrokerr (ssl://localhost:1234)

6

@Badger Any help!

7

The filter what i mentioned above works. I had 2 patterns of logs hence the grokparse failure was misleading.

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.