Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Logstash replace @timestamp with syslog date

Tags:

timestamp

filter

syslog

logstash

logstash-grok

I'm a bit confused. I'm trying to pull out the syslog date (backfilling the logstash) and replace the @timestamp with it. I've tried almost everything.

This is my filter

filter {
   if [type] == "syslog" {
   grok {
     match => {
"message" => ["%{SYSLOGTIMESTAMP:DATETIME} %{WORD:SERVER} (?<BINARY>(.*?)(php\-cgi|php))\: %{DATA:PHP_ERROR_TYPE}\:\s\s(?<PHP_ERROR_DESC>(.*?)(e\s\d))""]
  }
}

date {
  match => { "DATETIME" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] }
  target => "@timestamp"
  add_tag => [ "tmatch" ]
}

if !("_grokparsefailure" in [tags]) {
  mutate {
    replace => [ "@source_host", "%{SERVER}" ]
  }
}
mutate {
  remove_field => [ "SERVER" ]
}
}
}

sample output:

{
    "message" => "Sep 10 00:00:00 xxxxxxx",
    "@timestamp" => "2013-12-05T13:29:35.169Z",
      "@version" => "1",
          "type" => "xxxx",
          "host" => "127.0.0.1:xxx",
      "DATETIME" => "Sep 10 00:00:00",
        "BINARY" => "xxxx",
"PHP_ERROR_TYPE" => "xxxx",
"PHP_ERROR_DESC" => "xxxxx",
          "tags" => [
    [0] "tmatch"
],
  "@source_host" => "xxx"
}

tmatch is in the tags so I assume that the date filter works, but why do I still have:

@timestamp => "2013-12-05T13:29:35.169Z"

?

Thanks for help (my logstash is logstash-1.2.2-flatjar.jar)

like image 730
user3070418 Avatar asked Dec 05 '13 13:12

user3070418

1 Answers

Let's take a look at your date filter:

date {
  match => { "DATETIME" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] }
  target => "@timestamp"
  add_tag => [ "tmatch" ]
}

In particular, the match parameter:

match => { "DATETIME" => [ "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601" ] }

Match expects an array. I'm not sure what you're passing, exactly, but it's definitely not an array. I tried running this with -v, and I'm surprised to see it doesn't complain.

You probably mean something closer to this:

match => ["DATETIME", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "ISO8601"]

Note the first element of the array is the target field; additional elements are pattern(s) to match against.

Past that, you really only need to pass the one format you expect, but it looks like that's included among the three you're sending.

like image 95
rutter Avatar answered Sep 22 '22 10:09

rutter
Sign in to Comment

Related questions

How to get the index of filtered item in list using lambda?
Filter the middle row of each group
How to filter array of JSON-objects with multiple integer conditions and key values
How to use logical OR in SPARQL regex()?
Name of current example/group in rspec hook
Can I use a filter inside a filter in AngularJS?
How to make exact values and match queries on same field in elasticsearch?
pandas: filter group by multiple conditions?
Filtering string/float/integer values in pandas dataframe columns
Active Admin: How to customize labels for select filter?
Filter usage in shapeless, Scala
How to add a gradient/filter in the image in CSS
Java 8 Stream - Why is filter method not executing? [duplicate]
Set optional parameters in JPQL Query
Print only values smaller than certain threshold in bash
filtering custom adapter IndexOutOfBoundsException
Android Filtering a List of Objects
ffmpeg drawbox on a given frame
Django query returns the same objects twice
DirectoryInfo.GetFiles, How to get different types of files in C#

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!