Unable to search with timestamp

Vijay_Chander · August 6, 2018, 10:28am

I've created an index with two doc types(sas_logs & pid_logs) of different formats.

The logstash config file is

input {
file {
path => "E:/ElasticSearchWork/pid_logs/.log"
type => "pid_logs"
start_position => "beginning"
sincedb_path => "/dev/null"
}
file {
path => "E:/ElasticSearchWork/sas_logs/.log"
type => "sas_logs"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}

filter {

if [type] == "pid_logs" {
grok {
match => { "message" => "pid: (?\d+) mem: (?\d+) cpu: (?\d+)" }
}
}

if [type] == "sas_logs" {
grok {
match => { "message" => "%{LOGLEVEL:loglevel}\s+[%{NUMBER:num}]\s+:%{USERNAME:user}\s+-\s+%{GREEDYDATA:msg}" }
}
}
}

output {
elasticsearch {
hosts => "http://localhost:9200"
index => "com_index"
}
stdout {
codec => rubydebug
}
}

The log formats are

pid_logs: pid: 2178 cpu: 0.2 mem: 0.3

I'm trying to search in the kibana with the timestamp as I need to map/get the data from both the logs at particular timestamp.

In Kibana

Can anyone please help me in this.

magnusbaeck · August 6, 2018, 12:17pm

Have you tried removing the space after @timestamp:?

Vijay_Chander · August 6, 2018, 12:19pm

Yes, Even I've tried to search one exact timestamp value, still its returns empty.

I'm working on this from last two days but no luck.

magnusbaeck · August 6, 2018, 1:23pm

Maybe it's the colons that's throwing the query parser off. Trying double-quoting the value, i.e. @timestamp:"2018-08-03T....".

(I've never had the need to search for documents matching an exact timestamp.)

Vijay_Chander · August 6, 2018, 2:01pm

Magnus you're an angel It worked. I've tried the same before but forgot the '@' before timestamp variable as the logs also have a timestamp(custom) variable.

system · September 3, 2018, 2:01pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.