_dateparsefailure again

Elastic Stack Logstash
1

Hi everyone!

I have this configuration:

filter{
grok{
match => { "message" => "%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity} [%{DATA:class}] %{GREEDYDATA:message}" }
}
date{
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS" ]
}
}

And my app log lines are like this:

2017-05-29 09:17:13.0214 INFO [HQ.TIMServices.ProgramService] Message bla bla bla...

The grok filter is working properly but the date filter is not working, the error is the famous: _dateparsefailure

What am I missing?

Thanks in advance!

Santiago

2

Hi,

There's a typo in the date format, I do believe you should use yyy-MM-dd HH:mm:ss.SSS instead of yyy-MM-dd HH:mm:ss,SSS :wink:

-- edit --

Spoke too soon :smiley:

You should use yyy-MM-dd HH:mm:ss.SSSS . Furthermore, as your subsecond part is a little more precise than what is supported by logstash, it will be truncated to milliseconds.

Here's my logstash pipeline :

input { stdin {} }

filter {
	grok {
		match => { "message" => "%{TIMESTAMP_ISO8601:my_timestamp}" }
	}
	date {
		match => [ "my_timestamp", "yyyy-MM-dd HH:mm:ss.SSSS" ]
		target => "my_timestamp_parsed"
	}
}

output {stdout { codec => rubydebug } }

And here's a sample output :

current/bin/logstash -f sample.conf 
Sending Logstash's logs to .../current/logs which is now configured via log4j2.properties
[2017-05-29T19:40:43,153][INFO ][logstash.pipeline        ] Starting pipeline {"id"=>"main", "pipeline.workers"=>16, "pipeline.batch.size"=>125, "pipeline.batch.delay"=>5, "pipeline.max_inflight"=>2000}
[2017-05-29T19:40:43,175][INFO ][logstash.pipeline        ] Pipeline main started
The stdin plugin is now waiting for input:
[2017-05-29T19:40:43,212][INFO ][logstash.agent           ] Successfully started Logstash API endpoint {:port=>9600}
2017-05-29 09:17:13.0214
{
             "@timestamp" => 2017-05-29T17:40:55.424Z,
           "my_timestamp" => "2017-05-29 09:17:13.0214",
               "@version" => "1",
                   "host" => "localhost.localdomain",
    "my_timestamp_parsed" => 2017-05-29T07:17:13.021Z,
                "message" => "2017-05-29 09:17:13.0214"
}

Best regards,

Charles.w

3

Hi! thanks for your reply! I had tried that before and it didn't work. I've been able to solve it by appliying this filter:

match => [ "timestamp", "yyyy-MM-dd HH:mm:ss'.'SSSS" ]

I still don't know what is wrong but now, at least, it's working.

Thanks Charles!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.