[MediaWiki-commits] [Gerrit] logstash: Parse apache2 events where day of month < 10 - change (operations/puppet)

Mon, 03 Feb 2014 10:37:59 -0800 

BryanDavis has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/110971

Change subject: logstash: Parse apache2 events where day of month < 10
......................................................................

logstash: Parse apache2 events where day of month < 10

The date format used in the apache2 log stream pads the day of month
field of it's timestamp with spaces rather than zeros or leaving the
value as a variable width string. The logstash grok filter we were using
previously did not account for the space padding. Also adds date parsing
support for the space padded dates.

The changeset also corrects an obvious typo in the date format for fatal
events.

Bug:60772
Change-Id: I0546094fb0a3fb266515e2aeeb55ba7b303b560c
---
M files/logstash/filter-mw-via-udp2log.conf
1 file changed, 3 insertions(+), 3 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/puppet 
refs/changes/71/110971/1

diff --git a/files/logstash/filter-mw-via-udp2log.conf 
b/files/logstash/filter-mw-via-udp2log.conf
index 40400bb..2dc8a06 100644
--- a/files/logstash/filter-mw-via-udp2log.conf
+++ b/files/logstash/filter-mw-via-udp2log.conf
@@ -115,7 +115,7 @@
       grok {
         match => [
           "message",
-          "^(?<logdate>%{MONTH} %{MONTHDAY} %{TIME}) 
%{NOTSPACE:host}:%{SPACE}%{GREEDYDATA:message}$"
+          "^(?<logdate>%{MONTH}\s+%{MONTHDAY} %{TIME}) 
%{NOTSPACE:host}:%{SPACE}%{GREEDYDATA:message}$"
         ]
         overwrite => [ "host", "message" ]
         named_captures_only => true
@@ -132,7 +132,7 @@
       if !("_grokparsefailure" in [tags]) {
         # Use the parsed timestamp as canonical for the event
         date {
-          match => [ "logdate", "MMM dd HH:mm:ss" ]
+          match => [ "logdate", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
           remove_field => [ "logdate" ]
           add_tag => [ "logdate" ]
         }
@@ -243,7 +243,7 @@
       if !("_grokparsefailure" in [tags]) {
         # Use the parsed timestamp as canonical for the event
         date {
-          match => [ "logdate", "dd-MMM-YYYY-MM HH:mm:ss" ]
+          match => [ "logdate", "dd-MMM-YYYY HH:mm:ss" ]
           remove_field => [ "logdate" ]
           add_tag => [ "logdate" ]
         }

-- 
To view, visit https://gerrit.wikimedia.org/r/110971
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I0546094fb0a3fb266515e2aeeb55ba7b303b560c
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BryanDavis <[email protected]>

_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to