stackoom
  简体   繁体   中英

TIMESTAMP GROK FAILURE

 原文  2020-03-18 03:21:52       logstash/ logstash-grok

Question

some issue with grok timestamp pattern 

2020-3-4 10:22:37 >> this will match with this pattern %{TIMESTAMP_ISO8601:my_time}

2020-3-4 0:2:37 >> this will fail with this pattern %{TIMESTAMP_ISO8601:my_time}

also tried to match the pattern by using this separate pattern like YEAR MONTH AND DAY but again it will break when it reaches time %{HOUR}:%{MINUTE}:%{SECOND} . Any idea ?

1 answers

solution1
 0 ACCPTED  2020-03-18 11:48:48

The issue is with how the minute pattern is defined in logstash: (?:[0-5][0-9]) . This pattern expects a two digit minute number, which breaks in your second case ( 2020-3-4 0:2:37 ).

I've changed the pattern to accept a one-digit number of minutes: (?:[0-5][0-9]|[0-9])

You can then use this custom pattern:

(?<my_time>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?(?:[0-5][0-9]|[0-9])(?::?%{SECOND})?%{ISO8601_TIMEZONE}?)

which is the TIMESTAMP_ISO8601 with MINUTE replaced by my pattern.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Grok parse failure with Logstash logstash: grok parse failure Logstash and Grok filter failure GROK parse failure for logstash Grok formatting for a custom timestamp Grok patter for timestamp with timezone Grok recreate timestamp and message Grok patterns for timestamp Grok formatting for a custom timestamp Logstash grok filter grok parse failure
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM