Develop Reference

Logstash date is not working with HH:mm:ss.SSS but working with HH:mm:ss,SSS

when i check the elasticsearch output it seems not correct with timestamp it is displaying
For HH:mm:ss.SSS (not working correctly) -> apache.log
"message" : "[DEBUG] 2020-12-05 12:26:18.254...
"#timestamp" : "2021-01-11T03:31:10.314Z",
For HH:mm:ss,SSS (working correctly) -> eai_new.log
"timestamp" : "2020-11-23 06:05:05,297",
"message" : "2020-11-23 06:05:05,297
"#timestamp" : "2020-11-22T22:05:05.297Z"
Besides that what the difference between timestamp and #timestamp?
Below is my logstash code
filter {
if [name_of_log] in ["apache"] {
grok {
match => { "message" => "\[%{LOGLEVEL:level}\] %{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:msg}" }
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss.SSS" ]
}
} else {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:level} %{GREEDYDATA:msg}" }
}
date {
match => [ "timestamp" , "yyyy-MM-dd HH:mm:ss,SSS" ]
}
}
}

The date filter in logstash have a targeted field where it put the value that just will be parsed. This name of the default field is #timestamp.
So when data parsing is ok, the result of the parsing process is saved in the field #timestamp.
You have more details here about the date filter of logstash.
If the parsing operation doesn't work, the #timestamp is put by elsaticsearch himself and the value corresponding of the date of insertion into elasticsearch side. This is the default behaviour if you haven't set a specific configuration (for mapping) in your elasticsearch example.
The timestamp field is set during your grok operation. In your code, this set the timestamp field {TIMESTAMP_ISO8601:timestamp} in this part of logstash filter configuration:
grok {
match => { "message" => "\[%{LOGLEVEL:level}\] %{TIMESTAMP_ISO8601:timestamp} %{GREEDYDATA:msg}" }
}

Error parsing date with grok filter in logstash

I need to parse the date and timestamp in the log to show in #timestamp field. I am able to parse timestamp but not date.
Input Log:
"2010-08-18","00:01:55","text"
My Filter:
grok {
match => { "message" => '"(%{DATE})","(%{TIME})","(%{GREEDYDATA:message3})"’}
}
Here DATE throws grokparsefailure.
Also not sure how to update the #timestamp field.
Appreciate your help.

The %{DATE} pattern is not what you want. It's looking for something in M/D/Y, M-D-Y, D-M-Y, or D/M/Y format.
For a file like this, you could consider using the csv filter:
filter {
csv {
columns => ["date","time","message3"]
add_filed => {
"date_time" => "%{date} %{time}"
}
}
date {
match => [ "date_time", "yyyy-MM-dd HH:mm:ss" ]
remove_field => ["date", "time", "date_time" ]
}
}
This will handle the case where message3 has embedded quotes in it that have been escaped.

Logstash Grok - How to parse #timestamp field using HTTPDERROR_DATE pattern?

My log file has this pattern:
[Sun Oct 30 17:16:09 2016] [TRACE_HIGH] [TEST1] MessageTest1
[Sun Oct 30 17:16:10 2016] [TRACE_HIGH] [TEST2] MessageTest2
Pattern:
\A\[%{HTTPDERROR_DATE}](?<message>(.|\r|\n)*)
Filter:
filter {
if [type] == "mycustomlog" {
grok {
match => { "message" => "\A\[%{HTTPDERROR_DATE}](?<message>(.|\r|\n)*)"}
}
date {
# Format: Wed Jan 13 11:50:44.327650 2016 (GROK: HTTPDERROR_DATE)
match => [ "timestamp", "EEE MMM dd HH:mm:ss yyyy"]
}
multiline {
pattern => "^%{SYSLOG5424SD}%{SPACE}"
what => "previous"
negate=> true
}
}
}
I am trying to use my datetime log into #timestamp field, but I cannot parse this format into #timestamp. Why the date filter did not replace the #timestamp value?
My #timestamp is different from the log row:
row[0]
#timestamp: [Wed Nov 2 15:56:42 2016]
message: [Wed Nov 2 15:56:41 2016]
I am following this tutorial:
https://www.digitalocean.com/community/tutorials/adding-logstash-filters-to-improve-centralized-logging
Using:
Elasticsearch 2.2.x, Logstash 2.2.x, and Kibana 4.4.x
Grok Constructor Print:

The grok pattern used, \A\[%{HTTPDERROR_DATE}](?<message>(.|\r|\n)*) does not create a field from the %{HTTPDERROR_DATE}.
You need to have %{pattern:field} so that the data captured by the pattern creates a field (cf documentation).
So in your case it would be like this:
\A\[%{HTTPDERROR_DATE:timestamp}](?<message>(.|\r|\n)*)

I think Elasticsearch/Kibana #timestamp doesn't support "EEE MMM dd HH:mm:ss yyyy" format. Hence, you can bring the timestamp to the format "dd/MMM/yyyy:HH:mm:ss.SSSSSS" using mutate processor.
Snippet as below:
grok {
match => [ "message", "\[%{DAY:day} %{MONTH:month} %{MONTHDAY:monthday} %{TIME:time} %{YEAR:year}\] %{GREEDYDATA:message}" ]
}
mutate {
add_field => {
"timestamp" => "%{monthday}/%{month}/%{year}:%{time}"
}
}
date {
locale => "en"
timezone => "UTC"
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss.SSSSSS"]
target => "#timestamp"
remove_field => ["timestamp", "monthday", "year", "month", "day", "time"]
}
It may help someone. Thanks!

To apply the new field you must enter the target to overwrite the field:
target => "#timestamp"
By example:
date {
match => [ "timestamp", "dd MMM yyyy HH:mm:ss" ]
target => "#timestamp"
locale => "en"
remove_field => [ "timestamp" ]
}

_dateparsefailure when the date already has a match

I'm trying to config logstash to process some test log, but I keep getting a dateparsefailure and I don't understand why. My input is
2016-09-18 00:00:02,013 UTC, idf="639b26a731284b43beac8b26f829bcab"
And my config (I've also tried including the timezone into the pattern):
input {
file {
path => "/tmp/test.log"
start_position => "beginning"
}
}
filter {
date {
match => ["message", "yyyy-MM-dd HH:mm:ss,SSS"]
timezone => "UTC"
add_field => { "debug" => "timestampMatched"}
}
grok {
match => { "message" => "%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day} %{HOUR:hour}:%{MINUTE:minute}:%{SECOND:second},%{NUMBER:milis} UTC, idf=\"%{WORD:idf}\""}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
}
stdout {
codec => rubydebug
}
}
Finaly, the error:
{:timestamp=>"2016-09-21T10:04:32.060000+0000", :message=>"Failed parsing date from field", :field=>"message", :value=>"2016-09-18 00:00:02,013 UTC, idf=\"639b26a731284b43beac8b26f829bcab\"", :exception=>"Invalid format: \"2016-09-18 00:00:02,013 UTC, idf=\"639b26a731284b4...\" is malformed at \" UTC, idf=\"639b26a731284b4...\"", :config_parsers=>"yyyy-MM-dd HH:mm:ss,SSS", :config_locale=>"default=en_US", :level=>:warn, :file=>"logstash/filters/date.rb", :line=>"354", :method=>"filter"}
It says that the date it is malformed after the end of it. Why does this happen, shouldn't it 'stop searching' since the date has already a match?

Before you can use the date filter, you first have to use grok to separate the date and the rest of the message. The date filter only accepts a timestamp. If you have any other information in the field the error you are describing will occur.
Using your provided logline I would recommend this:
filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:timedate} %{GREEDYDATA}"}
}
date {
match => [ "timedate" => "yyyy-MM-dd HH:mm:ss,SSS"]
}
}
In this minimal example I match the timestamp in the timedate field and then crunch it trough the date filter.

logstash : can't mutate a date field, but can mutate other types

date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "ttt"
}
mutate {
add_field => { "eee" => "%{ttt}"}
}
mutate {
gsub => [
"eee", "2016", "2015"
]
}
I want to change year 2016 to 2015 in my field eee but logstash doesn't want to change it. I tried to mutate a non-date field and it works... Why?

If you're running logstash 2, they just fixed this bug, so you might update the date filter.
If you still wanted to do it yourself, why not add it to syslog_timestamp (the string) before calling date{}? You would need to modify your pattern, too.

date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
target => "aaaa"
}
mutate {
add_field => { "eeee" => " %{aaaa}" }
}
mutate {
gsub => [ "eeee", "2016", "2015" ]
}
mutate {
strip => ["eeee"]
}
The only solution I found is to force logstash to see eeee as a string instead of as an immutable date by adding a leading whitespace.