@timestamp not match with log timestamp

Ken_Pang · April 29, 2024, 8:37am

I'm new to ELK, I've search the related post here, but still unable to get my event timestamp work, anyone can help?

my sample data
2024/04/29 15:46:11.833
Dev = TTA10B6001-01, Data: Current State = ReadTagStatus, New State = WaitReadTagStatusComplete

2024/04/29 15:46:11.880
Dev = RDR_TTA10B6001_01, Data: Current State = Idle, New State = WakeTag, debug info Command: ReadTagStatus

2024/04/29 15:46:11.880
Dev = TTLRPHA002-01, Data: uiSerialNumber: 177841

filebeat

filebeat.inputs:
- type: filestream
  id: my-stratusserver-log
  enabled: true
  take_over: true
  paths:
    - D:\IntelliMove3\Log\Event\**\*.log
  ignore_older: 2h
  fields:
  content_type: log
  fields_under_root: true
  tags: ["log"]
  parsers:
    - multiline:
        pattern: '^[0-9]{4}\/[0-9]{2}\/[0-9]{2} [0-9]{2}\:[0-9]{2}\:[0-9]{2}\.[0-9]{3}'
        negate: true
        match: after

logstash

filebeat.inputs:

- type: filestream
  id: my-stratusserver-log
  enabled: true
  take_over: true
  paths:
    - D:\IntelliMove3\Log\Event\**\*.log
  ignore_older: 2h
  fields:
  content_type: log
  fields_under_root: true
  tags: ["log"]
  parsers:
    - multiline:
        pattern: '^[0-9]{4}\/[0-9]{2}\/[0-9]{2} [0-9]{2}\:[0-9]{2}\:[0-9]{2}\.[0-9]{3}'
        negate: true
        match: after

Ken_Pang · April 29, 2024, 9:47am

Sorry, I can't find edit post button

logstash

filter {
        grok {
            match => { "message" => "(?<log_datetime>%{YEAR}\/%{MONTHNUM}\/%{MONTHDAY} %{TIME})\\n%{GREEDYDATA:Data}" }
        }
        date {
            match => [ "log_datetime", "yyyy/MM/dd HH:mm:ss.SSS" ]
            timezone => "Singapore"
            remove_field => ["log_datetime"]
        }