Timestamp format in logstash 1.5.6

manopmk · March 23, 2017, 1:25pm

My log have this format 11-30-2016 12:13:57 INFO - Mapped "{[/transaction/get-account-history],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}"

then how do i include timestamp format in filter ?

my second query is
i included path => ["/Users/tcstsb3/Downloads/log/*.log"] contain many logs

How to combine all logs and sort based on time
In kibana i want to show like
Example :
11-30-2016 12:13:57 INFO hello ....(from log1)
11-30-2016 12:13:57 INFO hai ..... (from log2)
11-30-2016 12:13:58 INFO msg .....(from log1)

magnusbaeck · March 23, 2017, 1:36pm

then how do i include timestamp format in filter ?

Use a grok filter to extract the timestamp, loglevel, and possibly other pieces of the string into separate fields. Then use a date filter to parse the timestamp string into the @timestamp field.

How to combine all logs and sort based on time

As long as your date filter works that's exactly how Kibana will behave.

manopmk · March 23, 2017, 1:40pm

Thank you so much buddy

i tried
filter {

grok {
  match => { "message" => "%{COMBINEDAPACHELOG}" }
 }

date {
   match => [ "timestamp" , "MM-dd-yyyy HH:mm:ss Z" ]
 }

}

doesnt work correctly..
can you correct my format

magnusbaeck · March 23, 2017, 1:45pm

Your log isn't an Apache log so COMBINEDAPACHELOG obviously won't work. Perhaps the grok constructor web site can help you create a usable grok expression.

manopmk · March 23, 2017, 1:47pm

mine apache log only buddy

just for sample i mentioned like
11-30-2016 12:13:57 INFO hello ....(from log1)
11-30-2016 12:13:57 INFO hai ..... (from log2)
11-30-2016 12:13:58 INFO msg .....(from log1)

but im using apache log only

how can i change my timestamp format so that it will sort based on timestamp

magnusbaeck · March 23, 2017, 1:52pm

The log examples you have shown aren't Apache combined logs so COMBINEDAPACHELOG won't work, period.

manopmk · March 23, 2017, 1:54pm

this my apache web server log only buddy

11-30-2016 12:13:57 INFO - Mapped "{[/transaction/get-account-history],methods=[POST],params=[],headers=[],consumes=[],produces=[],custom=[]}"

magnusbaeck · March 23, 2017, 1:57pm

As I've already said:

That's not an Apache combined log.
The grok constructor web site can help you create a usable grok expression.

Over and out.

manopmk · March 24, 2017, 6:02am

Thank you buddy, i removed that
my msg like 11-30-2016 12:13:57 INFO...
im trying to modify the timestamp of log

filter {
grok {
match => [ "message" , "MM-dd-YYYY HH:mm:ss" ]
}
date {
match => [ "timestamp" , "MM-dd-YYYY HH:mm:ss" ]
target => "@timestamp"
}
}

but json still showing like this

"message" => "11-10-2016 12:13:57 INFO - FrameworkServlet 'dispatcher': initialization completed in 39 ms",
"@version" => "1",
"@timestamp" => "2017-03-24T05:59:14.365Z",
"host" => "Vishnu-Prasad.local",
"path" => "/Users/tcstsb3/Downloads/log/starbuck-batch.log",
"tags" => [
[0] "_grokparsefailure"
]

timestamp format not changed ..

system · April 21, 2017, 6:02am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.