I have Nginx as loadbalancer which is generating logs without year and second information in timestamp. One of those logs are
08-10 09:28 root ERROR Error connecting to CRS REST API : [Errno 111] Connection refused
Error connecting to CRS REST API : [Errno 111] Connection refused
The pattern for this is : (?m)%{MONTHNUM:monthNum}\-%{MONTHDAY:monthDay}\s*%{HOUR:hour}:%{MINUTE:minute}\s*%{WORD}\s*%{LOGLEVEL_CUSTOM:severity}\s*%{GREEDYDATA:messagePayload}
While I understand that year information can be done by Logstash with current year, which is fine with me as logs are not old and collected on daily basis, but as seconds part is important. I am not sure how to do that?
One additional thing, I am using date filter to convert it to time stamp to be stored in Elasticsearch which is as follows:
Yes, the time stamp in log and in Elasticsearch were different. Right now, I don't have that data as system was reset. Sorry for that. For example, in the log mentioned above the date was 10th Aug, and time was 09.28 UTC. but while querying the ES, the date was 11th Aug and time was different as well.
Date filter will see the field and try to match it with some formats mentioned there. So for me, ddMM HH:mm was not getting matched with "%{monthDay}%{monthNum} %{hour}:{minute}" .
I got the error just now, you can see in mutate filter
add_field => { "timestamp" => "%{monthDay}%{monthNum} %{hour}:{minute}"
% is missing from %{minute}. I have corrected it. Just going to test it.
One doubt is still there as what happens if the seconds part is missing from time.
Yeah as seconds will not be as easy as year. Will see how system takes it and will add a reply here so that it can be used by any other user for base reference.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.