Is there any existing grok{} pattern for date format YYYY/MM/DD HH:mm:ss?

logstash logstash-grok
Mandeep Singh picture Mandeep Singh · Sep 5, 2015 · Viewed 49k times · Source

I was checking the nginx error logs at our server and found that they start with date formatted as:

2015/08/30 05:55:20

i.e. YYYY/MM/DD HH:mm:ss. I was trying to find an existing grok date pattern which might help me in parsing this quickly but sadly could not find any such date format. Eventually, I had to write the pattern as: 

%{YEAR}/%{MONTHNUM}/%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?

I am still hoping if there is a shorter pattern for the same ?

Answer

dtrv picture dtrv · Sep 7, 2015

No. You find the included patterns on github. The comment to datestamp seems to fit to your YYYY/MM/DD, but DATE_US and DATE_EU are different.

I suggest overload the DATE pattern using grok option patterns_dir and go with DATESTAMP.

DATE_YMD %{YEAR}/%{MONTHNUM}/%{MONTHDAY}
DATE %{DATE_US}|%{DATE_EU}|%{DATE_YMD}

or just add your pattern into a patterns-file and use grok's patterns_dir option.

Related questions

How to handle non-matching Logstash grok filters

I am wondering what the best approach to take with my Logstash Grok filters. I have some filters that are for specific log entries, and won't apply to all entries. The ones that don't apply always generate _grokparsefailure tags. For …

Read More
How to process multiline log entry with logstash filter?

Background: I have a custom generated log file that has the following pattern : [2014-03-02 17:34:20] - 127.0.0.1|ERROR| E:\xampp\htdocs\test.php|123|subject|The error message goes here ; array ( 'create' => array ( 'key1' => 'value1', 'key2' => …

Read More
Change default mapping of string to "not analyzed" in Elasticsearch

In my system, the insertion of data is always done through csv files via logstash. I never pre-define the mapping. But whenever I input a string it is always taken to be analyzed, as a result an entry like hello …

Read More