Only now am I reading your previously posted config properly:
match => [ "message", "%{(\d){4}-(\d){2}-(\d){2} (\d){2}:(\d){2}:(\d){2},(\d){3}:sourcestamp}" ]
I've never seen this syntax used before and I can only assume it doesn't work. The %{X:Y} notation doesn't allow X to be a regular expression, only the name of a grok pattern. Either use a named grok pattern (TIMESTAMP_ISO8601 probably works in this case) or skip the grok syntax altogether:
match => [ "message", "(?<sourcestamp>(\d){4}-(\d){2}-(\d){2} (\d){2}:(\d){2}:(\d){2},(\d){3}" ]
I tried a named pattern first, unfortunately it fails with the following error: {:timestamp=>"2016-04-25T13:59:30.262000-0700", :message=>"Failed parsing date from field", :field=>"sourcestamp", :value=>"2016-04-25T00:00:00Z", :exception=>"Invalid format: \"2016-04-25T00:00:00Z\" is malformed at \"T00:00:00Z\"", :config_parsers=>"yyyy-MM-dd HH:mm:ss,SSS", :config_locale=>"default=en_US", :level=>:warn}
Search seems to suggest it has to do with Java date library being very strict about the format.
I also tried switching the format like you suggested, but I'm still getting the grok parse failures:
Okay. The whole thing is suspicious since it obviously extracts the sourcestamp field, but the grok filter either extracts all the fields or none of them. Secondly, the grok and date filter above work just fine:
$ cat test.config
input { stdin { type => "catalina" } }
output { stdout { codec => rubydebug } }
filter {
if [type] == "catalina" {
grok {
match => [ "message", "(?<sourcestamp>(\d){4}-(\d){2}-(\d){2} (\d){2}:(\d){2}:(\d){2},(\d){3})" ]
}
date {
match => [ "sourcestamp" , "yyyy-MM-dd HH:mm:ss,SSS" ]
timezone => "UTC"
}
}
}
$ echo '2016-04-27 15:23:15,340 [INFO] elasticsearch:63 - GET http://host.name.com/path]' | /opt/logstash/bin/logstash -f test.config
Settings: Default pipeline workers: 2
Pipeline main started
{
"message" => "2016-04-27 15:23:15,340 [INFO] elasticsearch:63 - GET http://host.name.com/path]",
"@version" => "1",
"@timestamp" => "2016-04-27T15:23:15.340Z",
"type" => "catalina",
"host" => "hallonet",
"sourcestamp" => "2016-04-27 15:23:15,340"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}
I suspect there's another grok filter lurking in your configuration. Perhaps another file in /etc/logstash/conf.d that you've forgotten about?
I removed every other config to confirm your theory and I think something else is happening. Timestamps in logstash.stdout do match those from the logs, but the ones in Kibana still do not.
Is it possible the timestamps lose sync again at the Redis layer? I'm not using any filters there. Output to Redis is below:
I'm sorry, this was a case of massive PEBCAK. I had some of the filebeats configured to output directly to ES so those logs were showing up in Kibana without any processing.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.