Problem date parsing

Sam67000 · April 28, 2017, 2:09pm

Hello everybody.
I have a small problem with some type of log annd I need your help.
I couldn't extract the date.

The logs are as follows :

[2017/04/25 15:39:46.255][Info] Block [[Main]][1][ALLOCALL]
[2017/04/25 15:39:46.255][Info] Value '' is assigned to variable [NUMEROCOLORE]
[2017/04/25 15:39:46.255][Info] Jump to block [[Main]][660]

I tried with the following filter but it doesn't work :
match => {"message" => "^%{TIMESTAMP_ISO8601:Date}"}

Thank you for ur help !

magnusbaeck · April 28, 2017, 2:13pm

You have two problems:

Your grok expression needs to take into account that your log line starts with [.
Your timestamp isn't in ISO8601 format so you can't use TIMESTAMP_ISO8601.

Sam67000 · April 28, 2017, 2:23pm

Is that better :
match => {"message" => "[%{YEAR}/%{MONTH}/%{MONTHDAY} %{TIME}]:Time"}

It doesn't work also.

magnusbaeck · April 28, 2017, 2:27pm

Try this expression:

^\[(?<Time>%{YEAR}/%{MONTHNUM}/%{MONTHDAY} %{TIME})\]...

Sam67000 · April 28, 2017, 2:38pm

It's work ! Thank you very much !!!

system · May 26, 2017, 2:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.