logstash configuration grok parse timestamp

Question

I am trying to parse

[7/1/05 13:41:00:516 PDT]

This is the configuration grok I have written for the same :

\[%{DD/MM/YY HH:MM:SS:S Z}\]

With the date filter :

input {
file {
path => "logstash-5.0.0/bin/sta.log"
start_position => "beginning"
}
}
filter {
grok {
match =>" \[%{DATA:timestamp}\] "
}
date {
match => ["timestamp","DD/MM/YY HH:MM:SS:S ZZZ"]
}
}
output {
stdout{codec => "json"}
}

above is the configuration I have used.

And consider this as my sta.log file content:

[7/1/05 13:41:00:516 PDT]

Getting this error :

[2017-01-31T12:37:47,444][ERROR][logstash.agent           ] fetched an invalid config {:config=>"input {\nfile {\npath => \"logstash-5.0.0/bin/sta.log\"\nstart_position => \"beginning\"\n}\n}\nfilter {\ngrok {\nmatch =>\"\\[%{DATA:timestamp}\\]\"\n}\ndate {\nmatch => [\"timestamp\"=>\"DD/MM/YY HH:MM:SS:S ZZZ\"]\n}\n}\noutput {\nstdout{codec => \"json\"}\n}\n\n", :reason=>"Expected one of #, {, ,, ] at line 12, column 22 (byte 184) after filter {\ngrok {\nmatch =>\"\\[%{DATA:timestamp}\\]\"\n}\ndate {\nmatch => [\"timestamp\""}

Can anyone help here?

Answer 1

You forgot to specify the input for your grokfilter. A correct configuration would look like this:

input {
  file {
    path => "logstash-5.0.0/bin/sta.log"
    start_position => "beginning"
  }
}

filter {
  grok {
    match => {"message" => "\[%{DATA:timestamp} PDT\]"}
  }
  date {
    match => ["timestamp","dd/MM/yy HH:mm:ss:SSS"]
  }
}

output {
  stdout{codec => "json"}
}

For further reference check out the grok documentation here.