Odd timestamp in syslog gives formatting error in ingest pipeline

abd.wsu · August 4, 2017, 2:08pm

Hello,

The timestamp in my syslog has two spaces between month and day. So my ingets pipeline works fine for days from 10 - 31, but fails for dates 1 - 9. Since these are single dates and not two digits.
Is there anyway to fix this?

Here's an example

The timestamp in my syslog is

Aug 4 09:06:01 hostname [25831]: syslog data

As you can see there are two spaces between Aug and 4 and that's giving me a pasring error. But this works fine once it hits Aug 10.

here's the date processor in my pipeline

  {
    "date": {
      "field": "timestamp",
      "formats": [
        "MMM dd HH:mm:ss"
      ],
      "timezone": "America/Chicago"
    }
  },

This is the error in my failed index

Invalid format: \"Aug 4 09:06:01\" is malformed at \" 4 09:06:01

Right now, i am planning to change the time format in the syslog to something more suitable but wanted to check if there's a work around for this.

abd.wsu · August 8, 2017, 6:38pm

I was able to split my timestamp into MONTH, MONTHDAY and then use set processor to add them back together to get the timestamp.

system · September 5, 2017, 6:38pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.