@timestamp with [13-Apr-2017 16:36:22 America/New_York]

mikemi · April 14, 2017, 6:58pm

I have a PHP log I'm trying to get times from. Logstash is just setting @timestamp as the current time the log is parsed.

The log starts off with this:
[13-Apr-2017 16:36:22 America/New_York]

The relevant part of my filter looks like this: (grok matches, I just abbreviated)

    grok {
      match => [
        "message", "\[%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{DATA:tz}\] ..."
      ]
    }
    date {
      timezone => "%{tz}"
      locale => "en"
      match => [ "timestamp", "dd-MMM-yyyy HH:mm:ss ZZZ" ]
    }

The value of @timestamp when I run this is always the current date/time.

What changes do I need to make for this to work?

magnusbaeck · April 18, 2017, 5:37am

You're not capturing the timestamp components into a timestamp field. Your grok expression should look like this

\[(?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME}) %{DATA:tz}\] ...

and you should remove " ZZZ" from your date pattern.

mikemi · April 19, 2017, 3:22am

Finally, I understand how the timestamp is assigned. Thank you!

system · May 17, 2017, 3:26am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.