Hi Team,
I am having parsing the "TIMESTAMP_ISO8601" in logstash grok. The only differnce i see in the log message is extra space after the hours : in timestamp
Eg:
2021-03-21T13:(\s) 01:54.402+0000
this is occuring only sepcific set of messages..
The TIMESTAMP_ISO8601 pattern does not allow a space there. You will have to use a custom pattern.
I have got my timetamp split into two fields with help of patterns directory.
2021-03-21T07:02:01.107+0000 == {TIMESTAMP_ISO8601: mytimestamp}
date {
match => [ "mytimestamp" , "ISO8601" ]
target => "@timestamp"
}
2021-03-21T07: 02:01.107+0000 == {CUSTOM_TS: mytimestmap}
date {
match => [ "mytimestamp" , "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "ISO8601" ]
target => "@timestamp"
}
After making the above changes, i am able to get my pipeline working without any errors, but the @timestamp is still reflecting the ingested timeline and not considering "mytimestamp".
Complete .conf file for reference
filter {
grok {
patterns_dir => [ "/opt/bea/ELKSTACK/logstash-6.2.4/custompatterns/patterns" ]
match => { "message" => ["%{APIGE_TIME:mytimestamp}", "%{TIMESTAMP_ISO8601:mycrcttimestamp}"] }
overwrite => [ "message" ]
}
date {
match => [ "mycrcttimestamp" , "ISO8601" ]
target => "@timestamp"
}
date {
match => [ "mytimestamp" , "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "ISO8601" ]
target => "@timestamp"
}This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.