Is there any existing grok{} pattern for date format YYYY/MM/DD HH:mm:ss?

Question

I was checking the nginx error logs at our server and found that they start with date formatted as:

2015/08/30 05:55:20

i.e. YYYY/MM/DD HH:mm:ss. I was trying to find an existing grok date pattern which might help me in parsing this quickly but sadly could not find any such date format. Eventually, I had to write the pattern as:

%{YEAR}/%{MONTHNUM}/%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}? 

I am still hoping if there is a shorter pattern for the same ?

Answer 1

To match 2015/08/30 05:55:20, use:

%{DATESTAMP:mytimestamp}

Tested on Logstash 6.5

Source: https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns

Answer 2

No. You find the included patterns on github. The comment to datestamp seems to fit to your YYYY/MM/DD, but DATE_US and DATE_EU are different.

I suggest overload the DATE pattern using grok option patterns_dir and go with DATESTAMP.

DATE_YMD %{YEAR}/%{MONTHNUM}/%{MONTHDAY}
DATE %{DATE_US}|%{DATE_EU}|%{DATE_YMD}

or just add your pattern into a patterns-file and use grok's patterns_dir option.

Answer 3

Successful timestamp capture strategy comprised of 3 things

1. Precision and timezone in the original log. Change your nginx timestamp log format.

Use $msec to capture milliseconds. Otherwise you wouldn't be able to sort it precisely.

log_format custom '[$msec] [$remote_addr] [$remote_user] '
                  '"$request" $status '
                  '"$http_referer" "$http_user_agent"';

2. Raw timestamp. Use greedy matching to capture raw data into a field.

Use GREEDYDATA:

grok {
  match => { "message" => "\[%{GREEDYDATA:raw_timestamp}\] %{GREEDYDATA:message}" }
  overwrite => [ "message" ]
}

3. Parsed timestamp. Use date filter to parse raw timestamp.

reference

date {
  match => [ "timestamp", "yyyy/MM/dd HH:mm:ss.S z" ]
  target => "@timestamp"
}