Hi,

I am using filebeat to send lines from a dhcp log (from windows server dhcp), and i am trying to replace the @timestamp field. Here is an example line from the dhcp log file:

11,12/14/17,14:22:04,Renew,10.1.65.60,pcname.domain.com,00A0D4645F14,,3853582496,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0

Using this filter:

filter {
 if [type] == "dhcp" {
  grok {
    patterns_dir => "/etc/logstash/conf.d/patterns"
    match => { "message" => "%{NUMBER:dhcpevent},%{DHCPDATE:timestamp},%{WORD:dhcpaction},%{IP:clientip},%{DATA:hostname},%{WORD:macaddress}" }
  }
  #turn timestamp from grok into @timestamp
  date {
    match => [ "timestamp", "dd/MM/yy,HH:mm:ss" ]
    target => "@timestamp"
  }
 }
}

And this grok pattern: DHCPDATE %{MONTHNUM}/%{MONTHDAY}/%{YEAR},%{TIME}

But it is not working, here is the rubydebug output:

{
        "offset" => 1935569,
    "input_type" => "log",
     "dhcpevent" => "11",
        "source" => "C:\\Windows\\System32\\dhcp\\DhcpSrvLog-Thu.log",
       "message" => "11,12/14/17,14:22:04,Renew,10.1.65.60,pcname.domain.com,00A0D4645F14,,3853582496,0,,,,0x4D53465420352E30,MSFT 5.0,,,,0",
          "type" => "dhcp",
          "tags" => [
        [0] "beats_input_codec_plain_applied",
        [1] "_dateparsefailure"
    ],
      "hostname" => "pcname.domain.com",
    "@timestamp" => 2017-12-14T13:23:02.140Z,
      "clientip" => "192.168.5.60",
      "@version" => "1",
          "beat" => {
        "hostname" => "somehostname",
            "name" => "somehostname",
         "version" => "5.4.0"
    },
          "host" => "somehostname",
    "macaddress" => "00A0D4645F14",
    "dhcpaction" => "Renew",
     "timestamp" => "12/14/17,14:22:04"
}

What am i doing wrong?

Your date format is MM/dd/yyyy, not dd/MM/yyyy.

You are right, after changing the format it works. Can't believe i missed this...

Thanks for the help!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.