Using log's timestamp as @timestamp

Artisan_Ilustrado · June 20, 2019, 9:16am

I need to use my log's timestamp as @timestamp. I've tried different methods from the internet but none of them worked in my case

input {
	s3 {
		bucket => "*"
		access_key_id => "*"
		secret_access_key => "*"
		prefix => "*"
		backup_to_bucket => "*"
		backup_add_prefix => "*"
		region => "*"
		delete => *
	}
}

filter {
	grok {
		match => { "message" => "%{IPORHOST:clientip} \[%{TIMESTAMP_ISO8601:logtimestamp}\] %{WORD:protocol} %{GREEDYDATA:uri_path} \"%{WORD:verb} %{DATA:partial_request} HTTP/%{NUMBER:httpversion}\" \"%{GREEDYDATA:User_Agent}\" \"%{GREEDYDATA:request}\" %{NUMBER:response} %{NUMBER:ret1} %{NUMBER:ret2} "}
	}



date {
    match => ["logtimestamp", "ISO8601"]
    target => "@timestamp"
  }

mutate
	{
	     remove_field => [ "message" ]
	}
}
output {
	elasticsearch {
		hosts => ["endpoint:9200"]
		index => "mywebsite.com"
	}
	stdout {
		codec => rubydebug
	}
	
}

sample log entry:

46.229.168.134 [17/Jun/2019:08:00:19 +0000] https www.mywebsite.com "GET /somefolder/somefolder/request HTTP/1.1" "Mozilla/5.0 (compatible; someBot/3~bl; +http://www.somebot.com/bot.html)" "" 200 48260 8

it doesn't show any errors but @timestamp is different from the log's timestamp even though I tried converting it to my browser's timezone which is how the kibana is configured.

Badger · June 20, 2019, 11:52am

Your timestamp format does not match ISO8601. Try

grok { match => { "message" => '%{IPORHOST:clientip} \[%{HTTPDATE:logtimestamp}\] %{WORD:protocol} %{IPORHOST:servername} "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{QS:agent} %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{NUMBER}' } }
date { match => ["logtimestamp", "dd/MMM/YYYY:HH:mm:ss Z"] }

Artisan_Ilustrado · June 24, 2019, 8:08am

Hi @Badger .
Thank you for your response but I tried what you suggested and I received a _dateparsefailure and this is my current config

filter {
        grok {
                match => { "message" => "%{IPORHOST:clientip} \[%{HTTPDATE:logtimestamp}\] %{WORD:protocol} %{GREEDYDATA:uri_path} \"%{WORD:verb} %{DATA:partial_request} HTTP/%{NUMBER:httpversion}\" \"%{GREEDYDATA:User_Agent}\" \"%{GREEDYDATA:request}\" %{NUMBER:response} %{NUMBER:ret1} %{NUMBER:ret2} "}
        }

date {
  match => [ "logtimestamp", "dd/MMM/YYYY:HH:mm:ss z" ]
  target => "@timestamp"
}

Badger · June 24, 2019, 12:00pm

Not really. I suggested a date filter that matches against "dd/MMM/YYYY:HH:mm:ss Z" and that is not what you have used. The documentation explicitly says that z is not supported.

Artisan_Ilustrado · June 25, 2019, 1:46am

It's working now! I just missed the casing of 'Z'
Thank you so much @Badger

system · July 23, 2019, 1:46am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.