I am working on shipping some logs to elasticsearch using logstash. I am unable to figure out the grok pattern for [Mon Jan 04 08:36:12 2021] .The format is Day Month Date Time Year Help and Suggestions are most welcome.
Log - [Mon Jan 04 08:36:12 2021]
Grok I tried - \[%{DAY:day} %{MONTH:month} %{TIME:time} %{YEAR:year}]
Result Expected - Day:Mon Month:Jan Date:04 Hour:08 Minute:36 Second:12 Year:2021
You forgot to specify the %{MONTHDAY} in between the month and time variables.
You can use
\[%{DAY:day} %{MONTH:month} %{MONTHDAY} %{TIME:time} %{YEAR:year}]
Grok pattern list used:
DAY (?:Mon(?:day)?|Tue(?:sday)?|Wed(?:nesday)?|Thu(?:rsday)?|Fri(?:day)?|Sat(?:urday)?|Sun(?:day)?)MONTH \b(?:[Jj]an(?:uary|uar)?|[Ff]eb(?:ruary|ruar)?|[Mm](?:a|ä)?r(?:ch|z)?|[Aa]pr(?:il)?|[Mm]a(?:y|i)?|[Jj]un(?:e|i)?|[Jj]ul(?:y|i)?|[Aa]ug(?:ust)?|[Ss]ep(?:tember)?|[Oo](?:c|k)?t(?:ober)?|[Nn]ov(?:ember)?|[Dd]e(?:c|z)(?:ember)?)\bMONTHDAY (?:(?:0[1-9])|(?:[12][0-9])|(?:3[01])|[1-9])TIME (?!<[0-9])%{HOUR}:%{MINUTE}(?::%{SECOND})(?![0-9])
HOUR (?:2[0123]|[01]?[0-9])MINUTE (?:[0-5][0-9])SECOND (?:(?:[0-5]?[0-9]|60)(?:[:.,][0-9]+)?)YEAR (?>\d\d){1,2}