Timestamp from log

eddie4 · November 2, 2018, 1:54pm

Yes i am aware of that many have already asked this question but rather sure am doing this correctly.

The log is is as follows
Nov 2 14:35:50 localhost hapee-lb[38513]: 87.23xxxxx:20216 [02/Nov/2018:14:35:48.112] …

The Grok patern is:
%{SYSLOGTIMESTAMP} %{WORD} %{PROG}(?:\[%{POSINT}\])?: %{IP:client}:%{INT} \[%{TRUESERVER_HAPROXYDATE:accept_date}\]

TRUESERVER_HAPROXYDATE:accept_date >> %{MONTHDAY}/%{MONTH}/%{YEAR}:%{TRUESERVER_HAPROXYTIME}.%{INT}

The pipe line has
let new_date = parse_date(to_string($message.accept_date), "dd/MMM/yyyy:hh:mm:ss.SSS"); set_field("timestamp", new_date);

Any help or insight would be appreciated

jtkarvo · November 4, 2018, 8:27am

hi

the timestamp field can be picky. I would debug this in two phases: first set_field a test field and check that it works. If it works, the problem can be the date format specified in elasticsearch for the timestamp field. You might need to loosen it to accept the date in the format the parse_date function gives. (see field mappings in Elasticsearch: https://www.elastic.co/guide/en/elasticsearch/reference/5.4/date.html) I remember that I had a similar problem at some point.

jan · November 4, 2018, 6:51pm

I would also - always - set the timezone that this timestamp is located in if not UTC. After that following the advice and debug step by step.

system · November 18, 2018, 6:51pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract Timestamp from Log and apply it to the index Graylog Central (peer support)	2	3881	May 4, 2018
Pipeline for timestamp Graylog Central (peer support)	6	3758	April 19, 2018
Parse_date() returns January Graylog Central (peer support)	3	1286	June 12, 2020
Graylog 2.5.2 - Can't search on timestamp Graylog Central (peer support)	7	969	February 14, 2020
Timestamp can't be replaced Graylog Central (peer support)	2	590	December 10, 2019

Timestamp from log

Related topics