I am trying Grok with the following filter
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time}" }
}
date {
match => [ "time", "ISO8601"]
}
With this data
[2014-06-19 16:07:02,347] INFO - [Start External Integration context] [45] Starting service
It matches, but doesn't change the @timestamp.
What is wrong? I've spent a couple hours playing around with this and nothing I thought made it work.
Running windows if that matters...
Got it!
Looks like the date filter "ISO8601" is not working with a space between DATE and TIME
So this works
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:time}" }
}
date {
match => [ "time", "YYYY-MM-dd HH:mm:ss,SSS"]
}