Using my log timestamp in logstash sample log (first-pipeline.conf)

hasan_sharekhan · April 27, 2017, 12:02pm

I have just successfully completed first example (first-pipeline.conf) from Logstash tutorial by uploading logs from FileBeat to Logstash to ElasticSearch

In Kibana while creating new Index "logstash-*" I am not getting timestamp fields from logs instead i am getting @timestamp which actual log uploading time.

Links used

Sample Apache Logs used:
https://download.elastic.co/demos/logstash/gettingstarted/logstash-tutorial.log.gz

Parsing Logs with Logstashed:
https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html

Xavy · April 27, 2017, 2:50pm

Hello:

This is normal and is seen on the doc you're mentioning.

If you want to match the log date + time fields, I think that you might need using a grok patter to match the date + time piece on each log entry, and map it to a particular field of your choice

hasan_sharekhan · April 28, 2017, 7:23am

Thanks, I am using the first-pipeline.conf as given on
https://www.elastic.co/guide/en/logstash/current/advanced-pipeline.html

input {
beats {
port => "5043"
}
}

filter {
grok {
match => { "message" => "%{COMBINEDAPACHELOG}"}
}

geoip {
    source => "clientip"
}

}

output {
elasticsearch {
hosts => [ "localhost:9200" ]
}
}

In filter section I am using "%{COMBINEDAPACHELOG} as given in example/doc, isn't it enough or do i need to make changes in filter { } section for each and every field, since it is Apache web Logs and logstash understand it the format and it believe it is enough

magnusbaeck · April 28, 2017, 7:32am

You need a date filter. See https://www.elastic.co/guide/en/logstash/current/config-examples.html#_processing_apache_logs.

hasan_sharekhan · May 2, 2017, 11:37am

Thanks, its working,
Now I want to use same first-pipeline.conf file to parse my application logs which looks like this

Each line is divided in 3 parts
a) Date
b) LogType
c) Message

My first query is how to I parse it in 3 parts
and second is how to I parse message of every line which is different.

2017-04-16 04:17:24.497+05:30 [I] " Data: ABC Server started.."
2017-04-16 04:17:35.606+05:30 [D] " Data: XYZ List Generation - Start"
2017-04-16 04:18:15.309+05:30 [D] " Data: Restricted User List Generated. MaxTime [4/3/2017 12:32:24 PM]"
2017-04-16 04:18:20.106+05:30 [I] " Data: Normal Order Enabled in : MY_SERVER_A"
2017-04-16 04:18:20.841+05:30 [D] " Data: BulkOrderHome is Created Successfully..."
2017-04-16 04:18:22.778+05:30 [D] " Data: Bulk Report Disabled in : MY_SERVER_B"
2017-04-16 05:46:13.466+05:30 [D] " Data: Logged In Clients,0,Total Clients,0,P.Send Q,0,S.Send Q,0,Ack Size 0"
2017-04-19 06:12:56.312+05:30 [I] " Data: Holiday Master Loaded from 20170423 to 20171230"
2017-04-19 10:00:00.609+05:30 [I] " Data: GetLastSentDataSize: 12511212"
2017-04-19 10:00:02.546+05:30 [I] " Data: General Process Q : R=t|L=INDIA123"

system · May 30, 2017, 11:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Issue with grok and timestamp field in apache logs Logstash	3	1152	July 6, 2017
Filebeat/Logstash Apache Access Logs timestamp issue Logstash	9	656	September 30, 2022
Parse logfile date into Kibana's timestamp Logstash	18	4381	May 10, 2017
Timestamp not getting my log value using date filter logstash Logstash	4	901	May 26, 2017
Unable to parse datetime from log message Logstash	5	959	February 21, 2019

Using my log timestamp in logstash sample log (first-pipeline.conf)

Related Topics