_dateparsefailure when shipping logs from Docker via GELF

privatwolke · June 2, 2016, 9:23am

Hey there!

I am trying to ship logs from Docker to logstash via the gelf input plugin:

input { gelf {} }

This is what I am getting in my logs:

{:timestamp=>"2016-06-02T09:14:00.434000+0000", :message=>"Failed parsing date from field", :field=>"@timestamp", :value=>"2016-06-02T09:14:00.000Z", :exception=>"cannot convert instance of class org.jruby.RubyObject to class java.lang.String", :config_parsers=>"yyyy-MM-dd HH:mm:ss,SSS", :config_locale=>"default=en_US", :level=>:warn}
{
           "version" => "1.1",
              "host" => "default",
             "level" => 6,
          "@version" => "1",
        "@timestamp" => "2016-06-02T09:14:00.000Z",
       "source_host" => "192.168.99.100",
           "message" => "{\"@name\": \"test\", \"@timestamp\": \"2016-06-02 09:14:00,000\", \"@levelname\": \"INFO\", \"@source_host\": \"2c3ccf23e729\", \"duration\": 0.37261}",
           "command" => "bin/app",
      "container_id" => "2c3ccf23e729ab7ebc7e586e3068dd2eeccac3f1250cda012ddd601249891a45",
    "container_name" => "localdev_test_1",
           "created" => "2016-06-02T07:41:57.018434389Z",
          "image_id" => "sha256:db3aab57f09f0e64f39895232afc31f266865edb95521cd38a3cc0c068e71311",
        "image_name" => "test/container-name:latest",
               "tag" => "json",
              "tags" => [
        [0] "_dateparsefailure"
    ]
}

I have tried adding a custom date filter:

date {
  match => ["@timestamp",
              "ISO8601",
              "yyyy-MM-dd HH:mm:ss.SSS",
              "yyyy-MM-dd' 'HH:mm:ss.SSS",
              "yyyy-MM-dd'T'HH:mm:ss.SSSZ",
              "yyyy-MM-dd'T'HH:mm:ss.SSSSSS'+0000'"]
  timezone => 'UTC'
}

But that does not change the errors I am getting. Curiously I am still seeing this: :config_parsers=>"yyyy-MM-dd HH:mm:ss,SSS". I would expect to see my own patterns here as well.

Any ideas? Because I am at a complete loss here...

Version information

logstash (2.0.0)
logstash-input-gelf (2.0.2)
logstash-filter-date (2.0.2)

purbon · June 2, 2016, 12:49pm

Hi,
I tried your example, you can see my results here ,

Pipeline main started
2016-06-02T09:14:00.434000+0000
{
    "@timestamp" => 2016-06-02T09:14:00.434Z,
      "@version" => "1",
          "host" => "skywalker",
       "message" => "2016-06-02T09:14:00.434000+0000"
}
foo
Failed parsing date from field {:field=>"message", :value=>"foo", :exception=>"Invalid format: \"foo\"", :config_parsers=>"ISO8601,yyyy-MM-dd HH:mm:ss.SSS,yyyy-MM-dd' 'HH:mm:ss.SSS,yyyy-MM-dd'T'HH:mm:ss.SSSZ,yyyy-MM-dd'T'HH:mm:ss.SSSSSS'+0000'", :config_locale=>"default=en_US", :level=>:warn}
{
    "@timestamp" => 2016-06-02T12:41:33.413Z,
      "@version" => "1",
          "host" => "skywalker",
       "message" => "foo",
          "tags" => [
        [0] "_dateparsefailure"
    ]
}

I think what happen to you here is that you're using the @timestamp value as the one used to get the value. This is a reserved keyword for logstash, i do suggest you used another name for incoming timestamp, as you can see from my example here parsing works just as expected with your rules, so issues is not related with your expressions.

hope it helps,

-purbon

Topic		Replies	Views
_dateparsefailure - Failing to parse timestamp field into @timestamp Logstash docker	5	372	May 11, 2020
[ERROR] Logstash: _dateparsefailure for xml output using the date plugin Logstash docker	2	306	January 4, 2024
Error parsing timestamp Logstash	2	1293	July 12, 2021
Docker gelf and logstash to logstash Logstash	5	2625	July 6, 2017
_dateparsefailure in tags Logstash	3	287	August 11, 2020

_dateparsefailure when shipping logs from Docker via GELF

Related topics