Filter on a nested date field in logstash - logstash

I'm trying to use date filter on a nested date field in json
json snippet:
"_source": {
"QueryResult": {
"Results": [
{
"CreationDate": "2016-12-13T05:37:11.953Z",
filter config:
filter {
date {
match => [ "[QueryResult][Results][CreationDate]", "ISO8601" ]
}
}
It keeps failing with below error:
[2017-01-05T19:40:44,575][ERROR][logstash.pipeline ] Exception in pipelineworker, the pipeline stopped processing new events, please check your filter configuration and restart Logstash. {"exception"=>java.lang.NumberFormatException: For input string: "CreationDate", "backtrace"=>["java.lang.
NumberFormatException.forInputString(java/lang/NumberFormatException.java:65)", "java.lang.Integer.parseInt(java/lang/Integer.java:580)", "java.lang.Integer.parseInt(java/lang/Integer.java:615)", "org.logstash.Accessors.fetch(org/logstash/Accessors.java:130)", "org.logstash.Accessors.get(org/logstas
h/Accessors.java:20)", "org.logstash.Event.getUnconvertedField(org/logstash/Event.java:160)", "org.logstash.Event.getField(org/logstash/Event.java:150)", "org.logstash.filters.DateFilter.executeParsers(org/logstash/filters/DateFilter.java:97)", "org.logstash.filters.DateFilter.receive(org/logstash/f
ilters/DateFilter.java:78)", "java.lang.reflect.Method.invoke(java/lang/reflect/Method.java:497)", "RUBY.multi_filter(/usr/share/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-date-3.1.1/lib/logstash/filters/date.rb:191)", "RUBY.multi_filter(/usr/share/logstash/logstash-core/lib/logstash/filt
er_delegator.rb:41)", "RUBY.filter_func((eval):42)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:295)", "org.jruby.RubyProc.call(org/jruby/RubyProc.java:
281)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:192)", "or
g.jruby.RubyHash.each(org/jruby/RubyHash.java:1342)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logstash/util/wrapped_synchronous_queue.rb:191)", "LogStash::Util::WrappedSynchronousQueue::ReadBatch.each(/usr/share/logstash/logstash-core/lib/logsta
sh/util/wrapped_synchronous_queue.rb:191)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294)", "LogStash::Pipeline.filter_batch(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:294)", "RUBY.worker_loop(/usr/share/logstash/logstash-core/lib/lo
gstash/pipeline.rb:282)", "RUBY.start_workers(/usr/share/logstash/logstash-core/lib/logstash/pipeline.rb:258)", "java.lang.Thread.run(java/lang/Thread.java:745)"]}
I've been trying to figure this out for few days now, but no luck.
I tried removing the codec: json as suggested # Access nested JSON Field in Logstash and checked the date format as suggested # 0 Parsing a date field in logstash to elastic search and Nested field access in date filter
Based on above post, I tried below filter snippet, but still got the same error:
date {
match => [ "[QueryResult][Results][CreationDate]",
"UNIX",
"UNIX_MS",
"ISO8601",
"timestamp",
"yyyy-MM-dd HH:mm:ss.SSS",
"yyyy-MM-dd HH:mm:ss,SSS",
"yyyy-MM-dd HH:mm:ss",
"yyyy/MM/dd HH:mm:ss",
"MMM d HH:mm:ss",
"MMM dd HH:mm:ss",
"dd/MMM/yyyy:HH:mm:ss Z",
"yyyy-MM-dd HH:mm:ss.SSSZ",
"yyyy-MM-dd'T'HH:mm:ss.SSSZ",
"yyyy-MM-dd'T'HH:mm:ssZ",
"E MMM dd HH:mm:ss yyyy Z" ]
target => "timestamp"
}
Any help/clue will be appreciated.

Related

Logstash #timestamp format change for syslog

I am using logstash pipeline to ingest data into rsyslog server .
Currently the #timestamp value being added by logstash is in this format:
Sep 27 10:14:43
But I want #timestamp to be printed in the format:
27-09-2022 11:14:43.933
I am trying to change it via this but this is not working:
filter {
date {
match => [ "#timestamp", " DD-MM-YYYY HH:mm:ss" ]
}
}
How can I change the value of this?

The date filter is used to "parse" the input date, so you need to provide the format of your parsed field
filter {
date {
match => [ "#timestamp", "MMM dd HH:mm:ss" ]
}
}
it will then be injected in the #timestamp
ref: https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html

Error parsing date with grok filter in logstash

I need to parse the date and timestamp in the log to show in #timestamp field. I am able to parse timestamp but not date.
Input Log:
"2010-08-18","00:01:55","text"
My Filter:
grok {
match => { "message" => '"(%{DATE})","(%{TIME})","(%{GREEDYDATA:message3})"’}
}
Here DATE throws grokparsefailure.
Also not sure how to update the #timestamp field.
Appreciate your help.

The %{DATE} pattern is not what you want. It's looking for something in M/D/Y, M-D-Y, D-M-Y, or D/M/Y format.
For a file like this, you could consider using the csv filter:
filter {
csv {
columns => ["date","time","message3"]
add_filed => {
"date_time" => "%{date} %{time}"
}
}
date {
match => [ "date_time", "yyyy-MM-dd HH:mm:ss" ]
remove_field => ["date", "time", "date_time" ]
}
}
This will handle the case where message3 has embedded quotes in it that have been escaped.

how to replace logstash #timestamp with log timestamp

My time stamp in the logs are in the format as below
2016-04-07 18:11:38.169 which is yyyy-MM-dd HH:mm:ss.SSS
This log file is not live one (stored/old one), and I am trying to replace this timpestamp with logstash #timestamp value for the betterment in the Kibana Visualization.
My filter in logstash is like below
grok {
match => {
"message" => [ "(?<timestamp>(\d){4}-(\d){2}-(\d){2} (\d){2}:(\d){2}:(\d){2}.(\d){3}) %{SYSLOG5424SD} ERROR u%{BASE16FLOAT}.%{JAVACLASS} - TransId:2b948ed5-12c0-4ae0-9b99-f1ee01191001 - TransactionId ::\"2b948ed5-12c0-4ae0-9b99-f1ee01191001\"- Actual Time taken to process \:\: %{NUMBER:responseTime:int}" ]
}
}
date {
match => [ "timestamp:date" , "yyyy-MM-dd HH:mm:ss.SSS Z" ]
timezone => "UTC"
target => "#timestamp"
}
But, its not replacing the #timestamp value, Json value
{
"_index": "logstash-2017.02.09",
"_type": "logs",
"_id": "AVoiZq2ITxwgj2avgkZa",
"_score": null,
"_source": {
"path": "D:\\SoftsandTools\\Kibana\\Logs_ActualTimetakentoprocess.log",
"#timestamp": "2017-02-09T10:23:58.778Z", **logstash #timestamp**
"responseTime": 43,
"#version": "1",
"host": "4637",
"message": "2016-04-07 18:07:01.809 [SimpleAsyncTaskExecutor-3] ERROR s.v.wsclient.RestClient - TransId:2b948ed5-12c0-4ae0-9b99-f1ee01191001 - TransactionId ::\"2b948ed5-12c0-4ae0-9b99-f1ee01191001\"- Actual Time taken to process :: 43",
"timestamp": "2016-04-07 18:07:01.809" **Mine time stamp**
}
Sample log line -
2016-04-07 18:11:38.171 [SimpleAsyncTaskExecutor-1] ERROR s.v.wsclient.RestClient - TransId:2b948ed5-12c0-4ae0-9b99-f1ee01191001 - TransactionId ::"2b948ed5-12c0-4ae0-9b99-f1ee01191001"- Actual Time taken to process :: 521
Could you please help and let me know, where am I going wring here..

You should basically have a grok match in order to use the timestamp of your log line:
grok {
patterns_dir => ["give your path/patterns"]
match => { "message" => "^%{LOGTIMESTAMP:logtimestamp}%{GREEDYDATA}" }
}
In your pattern file make sure to have the patter which matches your timestamp in the log, which could look something like this:
LOGTIMESTAMP %{YEAR}%{MONTHNUM}%{MONTHDAY} %{TIME}
And then once you've done the grok filtering you might be able to use the filtered value like:
mutate {
add_field => { "newtimestamp" => "%{logtimestamp}" }
remove_field => ["logtimestamp"]
}
date {
match => [ "newtimestamp" , "ISO8601" , "yyyy-MM-dd HH:mm:ss.SSS" ]
target => "#timestamp" <-- the timestamp which you wanted to apply on
locale => "en"
timezone => "UTC"
}
Hope this helps!

you can use date filter plugin of logstash
date {
match => ["timestamp", "UNIX"]
}

Logstash Grok - How to parse #timestamp field using HTTPDERROR_DATE pattern?

My log file has this pattern:
[Sun Oct 30 17:16:09 2016] [TRACE_HIGH] [TEST1] MessageTest1
[Sun Oct 30 17:16:10 2016] [TRACE_HIGH] [TEST2] MessageTest2
Pattern:
\A\[%{HTTPDERROR_DATE}](?<message>(.|\r|\n)*)
Filter:
filter {
if [type] == "mycustomlog" {
grok {
match => { "message" => "\A\[%{HTTPDERROR_DATE}](?<message>(.|\r|\n)*)"}
}
date {
# Format: Wed Jan 13 11:50:44.327650 2016 (GROK: HTTPDERROR_DATE)
match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy"]
}
multiline {
pattern => "^%{SYSLOG5424SD}%{SPACE}"
what => "previous"
negate=> true
}
}
}
I am trying to use my datetime log into #timestamp field, but I cannot parse this format into #timestamp. Why the date filter did not replace the #timestamp value?
My #timestamp is different from the log row:
row[0]
#timestamp: [Wed Nov 2 15:56:42 2016]
message: [Wed Nov 2 15:56:41 2016]
I am following this tutorial:
https://www.digitalocean.com/community/tutorials/adding-logstash-filters-to-improve-centralized-logging
Using:
Elasticsearch 2.2.x, Logstash 2.2.x, and Kibana 4.4.x
Grok Constructor Print:

The grok pattern used, \A\[%{HTTPDERROR_DATE}](?<message>(.|\r|\n)*) does not create a field from the %{HTTPDERROR_DATE}.
You need to have %{pattern:field} so that the data captured by the pattern creates a field (cf documentation).
So in your case it would be like this:
\A\[%{HTTPDERROR_DATE:timestamp}](?<message>(.|\r|\n)*)

I think Elasticsearch/Kibana #timestamp doesn't support "EEE MMM dd HH:mm:ss yyyy" format. Hence, you can bring the timestamp to the format "dd/MMM/yyyy:HH:mm:ss.SSSSSS" using mutate processor.
Snippet as below:
grok {
match => [ "message", "\[%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}\] %{GREEDYDATA:message}" ]
}
mutate {
add_field => {
"timestamp" => "%{monthday}/%{month}/%{year}:%{time}"
}
}
date {
locale => "en"
timezone => "UTC"
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss.SSSSSS"]
target => "#timestamp"
remove_field => ["timestamp", "monthday", "year", "month", "day", "time"]
}
It may help someone. Thanks!

To apply the new field you must enter the target to overwrite the field:
target => "#timestamp"
By example:
date {
match => [ "timestamp", "dd MMM yyyy HH:mm:ss" ]
target => "#timestamp"
locale => "en"
remove_field => [ "timestamp" ]
}

Logstash custom date log format match

I have this log that print the date format that looks like this:
= Build Stamp: 10:45:33 On Apr 4 2014 =
So i have run the filter on grok debugger but still clueless on how to remove the word On
grok {
patterns_dir => "./patterns"
match => { "message" => "%{F_TIMESTAMP:timestamp}" }
}
date {
match => [ "timestamp" , "HH:mm:ss MMM d yyyy" , "HH:mm:ss MMM dd yyyy" ]
locale => "en"
}
pattern file,
F_TIMESTAMP %{TIME} \On %{MONTH} +%{MONTHDAY} %{YEAR}
My current output for timestamp would be
10:45:33 On Apr 4 2014 on grok debugger.
Then how can i make it compatible/match with logstash #timestamp ?

You can extract each part of date time and combine in another field without On keyword.
You can achieve this following :
filter {
grok {
match => { "message" => "%{F_TIMESTAMP}" }
}
mutate {
add_field => {
"timestamp" => "%{time} %{month} %{monthday} %{year}"
}
}
date {
match => [ "timestamp" , "HH:mm:ss MMM d yyyy" , "HH:mm:ss MMM dd yyyy" ]
locale => "en"
}
mutate {
remove_field => [ "time" ,"month","monthday","year","timestamp"]
}
}
F_TIMESTAMP %{TIME:time}\s*On\s*%{MONTH:month}\s*%{MONTHDAY:monthday}\s*%{YEAR:year}
Its working fine for me.

Resources