In the first example your grok filter isn't working on your log line so the date filter that otherwise would take the timestamp from the log and store it in the @timestamp field doesn't work either.
Hi @magnusbaeck i use:
filter {
grok {
match => {
"message" => '%{IPORHOST:clientip} %{USER:ident} %{USER:auth} [%{HTTPDATE:timestamp}] "%{WORD:verb} %{DATA:request} HTTP/%{NUMBER:httpversion}" %{NUMBER:respon$
}
}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
target => "@timestamp"
locale => en
}
Now my question is i have the same type of log(apache), why grok filter match only some strings and not all strings? What is wrong?
Thank you for replay.
Show an example of a log line that the grok filter couldn't parse. Use copy/paste, don't post a screenshot. Please also post exactly what your grok filter looks like. The configuration you posted above is damaged (your grok expression hardly ends with "%{NUMBER:respon$"). Make sure you post your configuration as preformatted text using the </> toolbar button.
Show an example of a log line that the grok filter couldn't parse. Use copy/paste, don't post a screenshot. Please also post exactly what your grok filter looks like.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.