Hi,
I am trying to overwrite the @timestamp filed with the time from the log source but logstash fails to start when trying to run. I am guessing it has something to do with the "-04" in the time.....see below time from the actual log
2022-08-30 12:34:38.88910-04
I am breaking it out as but I believe the "INT" is causing me issues.
%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}.%{INT}-%{INT}
input {
tcp {
port => 8090
tags => ["custom_app1"]
codec => json { }
}
}
filter
{
grok {
pattern_definitions => {
"customtime" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND}.%{INT}-%{INT}"
"customtime2" => "%{HOUR}:%{MINUTE}:%{SECOND}"
}
match => { "message" => [ "%{customtime:timestamp} %{customtime2:session_endtime} %{WORD:log_level} %{NOTSPACE:sessions_id} %{GREEDYDATA:action}\s\{\"\id\"\:%{NUMBER:id}\,\D+%{NUMBER:to_be_assigned}\,\D+\:\"%{NOTSPACE:user_name}\"\,\"\w+\"\:\[%{GREEDYDATA:to_be_unassigned}\,\"\:\[\{\"\w+\"\:%{NUMBER:id2}\,\"\w+\"\:\"%{GREEDYDATA:category}\"\}\,\{\"\w+\"\:%{GREEDYDATA:id3}\]\}\,\"\w+\"\:\"%{GREEDYDATA:user_role}\"%{GREEDYDATA:rest_msg}" ] }
}
date {
locale => "$LANG"
match => [ "timestamp", "YYYY-MM-DD HH:MM:SS.SSSSSS-TZ" ]
target => "@timestamp"
}
}
output {
# elasticsearch { hosts => ["localhost:9200"] }
stdout { codec => rubydebug }
}
The timestamp is written to the timestamp field as follows
"timestamp" => "2022-08-30 12:34:38.88910-04"
I feel like this "YYYY-MM-DD HH:MM:SS.SSSSSS-TZ" is causing me issues