I was checking the nginx error logs at our server and found that they start with date formatted as:
2015/08/30 05:55:20
i.e. YYYY/MM/DD HH:mm:ss. I was trying to find an existing grok date pattern which might help me in parsing this quickly but sadly could not find any such date format. Eventually, I had to write the pattern as:
%{YEAR}/%{MONTHNUM}/%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
I am still hoping if there is a shorter pattern for the same ?
No. You find the included patterns on github. The comment to datestamp seems to fit to your YYYY/MM/DD, but DATE_US and DATE_EU are different.
I suggest overload the DATE pattern using grok option patterns_dir and go with DATESTAMP.
DATE_YMD %{YEAR}/%{MONTHNUM}/%{MONTHDAY}
DATE %{DATE_US}|%{DATE_EU}|%{DATE_YMD}
or just add your pattern into a patterns-file and use grok's patterns_dir option.
To match 2015/08/30 05:55:20, use:
%{DATESTAMP:mytimestamp}
Tested on Logstash 6.5
Source: https://github.com/logstash-plugins/logstash-patterns-core/blob/master/patterns/grok-patterns
Successful timestamp capture strategy comprised of 3 things
Use $msec to capture milliseconds. Otherwise you wouldn't be able to sort it precisely.
log_format custom '[$msec] [$remote_addr] [$remote_user] '
'"$request" $status '
'"$http_referer" "$http_user_agent"';
Use GREEDYDATA:
grok {
match => { "message" => "\[%{GREEDYDATA:raw_timestamp}\] %{GREEDYDATA:message}" }
overwrite => [ "message" ]
}
date filter to parse raw timestamp.date {
match => [ "timestamp", "yyyy/MM/dd HH:mm:ss.S z" ]
target => "@timestamp"
}
You can also simply include the joda.time pattern which is simple and short.
date {
match => [ "timestamp", "yyyy/MM/dd HH:mm:ss" ]
target => "@timestamp"
}
Helpful link for reference: https://docs.oracle.com/javase/8/docs/api/java/time/format/DateTimeFormatter.html
© 2022 - 2024 — McMap. All rights reserved.
[T ]and%{ISO8601_TIMEZONE}?? Looking at your single example they're unnecessary. Also, why make the seconds optional? – Tonettetoney