Logstash Date filter on special date format

Question

Im trying to store old log files in elastic and im using logstash for that.

time stamps in the logs are of the following format:

13 AUG 2015 | 07:04:35 | .......

1st problem was the fact the month is in upper case so i copied the "MONTH" pattern as it appears in the grok-patterns and upper-cased all of it:

original MONTH:

MONTH \b(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|Jun(?:e)?|Jul(?:y)?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)\b

my upper-case "MONTHCAP":

MONTHCAP \b(?:JAN(?:UARY)?|FEB(?:RUARY)?|MAR(?:CH)?|APR(?:IL)?|MAY|JUN(?:E)?|JUL(?:Y)?|AUG(?:UST)?|SEP(?:TEMBER)?|OCT(?:OBER)?|NOV(?:EMBER)?|DEC(?:EMBER)?)\b

next thing i try to do is use the date filter so elastic uses the timestamp from the log as @timestamp filed and NOT the time of the line being stored in elastic:

date{
                match => ["MONTHDAY","dd","MONTHCAP","MMM","YEAR","yyyy","TIME","HH:mm:ss"]
    }

The problem is that i get the following error trying to store the data:

Error: Cannot register filter date plugin. The error reported is:
Illegal pattern component: O for pattern 'MONTHCAP'

additional information: this is the grok filter i use to parse the log lines:

%{MONTHDAY} %{MONTHCAP} %{YEAR} \| %{TIME} \|

any idea why i keep getting this error when thr pattern i use is 'MMM' ? THanks!

Answer 1

In the documentation the match is only for one field :

match => [ "logdate", "MMM dd YYY HH:mm:ss",
      "MMM  d YYY HH:mm:ss", "ISO8601" ]

It takes the first solution which matchs with logdate field.

You need to construct a field which is your date and after you can do your date filter.

 match => [logdate, dd MMM yyyy HH:mm:ss]