Logstash log time and date parsing

2
votes

Hello I have below log

12-Apr-2021 16:11:41.078 WARNING [https-jsse-nio2-8443-exec-3] org.apache.catalina.realm.LockOutRealm.filterLockedAccounts An attempt was made to authenticate the locked user [user1]

I am trying to build a pattern for these for logstash.

I have following

%{MY_DATE_PATTERN:timestamp}\s%{WORD:severity}\s\[%{DATA:thread}\]\s%{NOTSPACE:type_log}

which parses below

{
  "timestamp": [
    "12-Apr-2021 16:01:01.505"
  ],
  "severity": [
    "FINE"
  ],
  "thread": [
    "https-jsse-nio2-8443-exec-8"
  ],
  "type_log": [
    "org.apache.catalina.realm.CombinedRealm.authenticate"
  ]
}

My Date stamp is a custom pattern it works with grok debugger but not with the system that i am using so i would need help to get date and time with regex. would anyone help me please?

12-Apr-2021 16:11:41.078 GROK REGEX for this

1
regexlogstash-grok
Glad my answer worked for you. Please also consider upvoting if my answer proved helpful to you (see How to upvote on Stack Overflow?) as you are entitled to the upvoting privilege after reaching 15 rep points. Note you may upvote all the answers that turned out helpful. - Wiktor Stribiżew

1 Answers

0
votes

Instead of %{MY_DATE_PATTERN:timestamp}, you can use

(?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{HOUR}:%{MINUTE}:%{SECOND})

Legend:

  • %{MONTHDAY} - (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])
  • %{MONTH} - \b(?:Jan(?:uary|uar)?|Feb(?:ruary|ruar)?|M(?:a|ä)?r(?:ch|z)?|Apr(?:il)?|Ma(?:y|i)?|Jun(?:e|i)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|O(?:c|k)?t(?:ober)?|Nov(?:ember)?|De(?:c|z)(?:ember)?)\b
  • %{YEAR} - (?>\d\d){1,2}`
  • %{HOUR} - (?:2[0123]|[01]?[0-9])
  • %{MINUTE} - (?:[0-5][0-9])
  • %{SECOND} - (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?).