Formatting Windows timestamp using Logstash

Question

I have successfully integrated Windows Event logs to Logstash. the timestamp on windows event logs looks like this: 20131007071942.087375-000

To convert this timestamp into a readable one i have used the date filter on logstash.

date{
  match => [ "TimeGenerated", "yyyyMMddHHmmss.ssssss-sss" ]
}

This gives me this error :

 ←[33mFailed parsing date from field {:field=>"TimeGenerated", :value=>"20131007080720.040037-
000", :exception=>java.lang.IllegalArgumentException: Invalid format: "20131007080720.040037-
000" is too short, :level=>:warn}←[0m

It would be great if someone could help me to fix this. Thanks

CAB · Answer 1 · 2013-10-15T14:31:37.563

0

Try using the grok debugger:

http://grokdebug.herokuapp.com/

and looking at the existing regex patterns: https://github.com/logstash/logstash/tree/master/patterns

To get you started:

%{YEAR:YYYY}%{MONTHNUM:MM}%{MONTHDAY:dd}%{GREEDYDATA:remainder}

edited Oct 15 '13 at 14:31

answered Oct 15 '13 at 14:22

CAB

225
1
7

Formatting Windows timestamp using Logstash

1 Answers1