Parsing HaProxy Logs with Different Timestamp Formats

TLDR Zygimantas was facing issues parsing new haproxy logs after an upgrade. Ashish suggested using the vrl function to resolve this problem.

Photo of Zygimantas
Zygimantas
Wed, 08 Nov 2023 08:44:49 UTC

Good day guys, i have this kind of log, what could be best way to parse them? Already tried fluent-bit/filebeat with regexp, but is there a way to parse only parts of log? ```Nov 8 08:42:19 serverą haproxy[7832]: [127.0.0.1] http backend 4710 cD 0/0 random_id [10.10.10.10]:443```

Photo of Zygimantas
Zygimantas
Wed, 08 Nov 2023 08:46:18 UTC

For example, ignore beggining of line “Nov 8 08:42:19”

Photo of Ashish
Ashish
Wed, 08 Nov 2023 08:47:53 UTC

is it syslog?

Photo of Zygimantas
Zygimantas
Wed, 08 Nov 2023 08:48:01 UTC

haproxy logs

Photo of Zygimantas
Zygimantas
Wed, 08 Nov 2023 08:52:02 UTC

It was working perfrctly fine until debian 12 and new haproxy veraion changed timestamp format, all older systems works for now, but newer ones not parsing it correctly, i was wondering if its possible to combine both formats to one stream

Photo of Ashish
Ashish
Wed, 08 Nov 2023 08:52:31 UTC

are you using vrl function to parse them

Photo of Ashish
Ashish
Wed, 08 Nov 2023 08:53:05 UTC

vrl documentation

Photo of Zygimantas
Zygimantas
Wed, 08 Nov 2023 08:53:21 UTC

Not yet, thank you

OpenObserve Logo

OpenObserve

Indexed 419 threads

OpenObserve is an open-source, petabyte-scale observability platform for the cloud native realm, offering a 10x cost reduction and 140x less storage use compared to competitors like Elasticsearch or Splunk. Built in Rust for exceptional performance, it offers comprehensive features like logs, metrics, traces, dashboards, and more | Knowledge Base powered by Struct.AI

View in App

Similar Threads

Troubleshooting VRL Function Query Run
VRL Support on Syslog Ingestion
Utilizing VRL for Log Grouping and Searching in ETL Jobs
Troubleshooting SQL Query for Timestamp Difference
Handling Nested JSON in OpensObserve