Unable to parse this timestamp-very strange

Nithani25 · January 11, 2019, 1:38pm

Hi Team,
I am working two sets of logs, with different timestamp files and i am not able to parse them

Format 1: 2018-Dec-18 08:18:21,531

Logstash conf

match => { "message" => "%{YEAR:year}-%{MONTH:month}-%{MONTHDAY:day} %{TIME:time},%{NUMBER:z}" }
       overwrite => [ "message" ]
            }
       mutate {
          add_field => { "timestamp" => "%{year}-%{month}-%{day} %{time},%{z}" }
             }
       date {
           match => [ "timestamp" , "EEE MMM dd HH:mm:ss y", "EEE MMM dd HH:mm:ss ZZZ yyyy", "EEE MMM  d HH:mm:ss ZZZ yyyy", "dd/MMM/yyyy:HH:mm:ss Z", "YYYY-MM-dd HH:mm:ss", "YYYY-MM-dd HH:mm:ss Z", "YYYY-MMM-dd HH:mm:ss", "dd.MM.YY HH:mm:ss", "MMM dd, yyyy hh:mm:ss a", "dd.MM.YY-HH:mm:ss", "MMM dd HH:mm:ss" ]
            }
}

Conitnuous grok parse failures...

Format 2: [2018-07-10 01:15:43,195]

since its in square braces, tried creating custome pattern

pattern file:
SAMPLE_TIME [%{YEAR}-%{MONTH}-%{MONTHDAY} %{TIME},%{NUMBER}]

logstash conf:

 match => { "message" => "%{SAMPLE_TIME}" }
           overwrite => [ "message" ]
                }

But no luck with this also..

Badger · January 11, 2019, 3:03pm

For format 1, you can use "YYYY-MMM-dd HH:mm:ss,SSS"

For format 2, your grok pattern is not anchored, so you can ignore the brackets.

"%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time},%{NUMBER:z}"

Alternatively (and more efficiently), anchor it and escape the brackets

"^\[%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{TIME:time},%{NUMBER:z}\]"

Then parse the date against "YYYY-MM-dd HH:mm:ss,SSS"

system · February 8, 2019, 3:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.