Timestamps filter

Elastic Stack Logstash
1

I cant get the "Time" field to match the message log

filter {
mutate { replace => { "type" => "logs" } }
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{DATA}%{YEAR}]%{DATA}%{SYSLOG5424SD:Alert}%{DATA}%{SYSLOG5424SD:Pid}%{DATA}%{IPV4:clientip}:%{POSINT:Port}]%{GREEDYDATA:Message}" }
}
grok {
#patterns_dir => ["/etc/logstash/patterns"]
match => { "message" => "%{SYSLOGTIMESTAMP:timestamp}%{DATA}%{YEAR}]%{GREEDYDATA:Message}" }
add_field => { "subType" => "Common_ICS" }
}
grok {
match => { "message" => "%{IPV4:clientip}\s*-\s-\s[%{HTTPDATE:timestamp}%{GREEDYDATA:Message}" }
}
date {
match => [ "timestamp" , "MMM d yyy HH:mm:ss", "MMM dd yyyy HH:mm:ss", "ISO8601", "ddd MMM dd HH:mm:ss yyyy" ]
add_field => { "Status" => "Matched"}
remove_field => ["timestamp"]
}

geoip {
    source => "clientip"
 }

}
image

2

Your timestamp field is "MMM dd HH:mm:ss" with no year.

1 Like
3

I dont get what your saying

4

This should work

"EEE MMM dd HH:mm:ss yyyy"

5

Look at the second column of your screenshot. The timestamp field has the value "Feb 17 10:25:36", with no year.

6

Oh I see what your saying.. I really dont need that field Im trying to change the "Time" field on the far left ... is that possible ?

7

Well, firstly, do not use SYSLOGTIMESTAMP, since that discards the year, and if there is no year then a logstash date filter will guess, and I can guarantee that sometimes it will guess incorrectly. I would dissect it

dissect { mapping => { "message" => "%{} %{[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata][timestamp]} %{+[@metadata] [timestamp]} %{restOfLine}" } }
date { match => [ "[@metadata][timestamp]", "MMM d HH:mm:ss yyyy" ] }

will get you

"@timestamp" => 2020-02-17T15:25:56.000Z,

You could use the target option on the date filter to set [Time] instead.

8

Ok thanks I will try this

9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.