_dateparsefailure While parsing string

Elastic Stack Logstash
1

Hi,
Logstash parses logdate field as string. I tried to convert it to datetime (24h format) using date filter, but I get the "_dateparsefailure" error when I try to parse a log line. Could you please help me to parse datetime correctly? What am I missing?

Sample log line: 11/28/2016 11:08:17 AM Mr INFO Creating application []
And here is logstash grok filter that I'm using :

filter {
grok {
match => {"message" => "(?%{DATE} %{TIME} (?:AM|PM)) %{DATA:class} %{LOGLEVEL:log-level} %{GREEDYDATA:event_desc} [%{GREEDYDATA:traceback}]"}
}

date {
  match => [ "logdate", "dd/MM/yyyy KK:mm:ss aa" ]
  target => "@timestamp"
  add_field => { "debug" => "timestampMatched"}
}

}

And the rubydebug output is here:
{
"offset" => 182,
"input_type" => "log",
"source" => "logs/2016_11_28_11_08_17_log.txt",
"message" => "11/28/2016 11:08:17 AM Mr INFO Creating application []",
"type" => "log",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_dateparsefailure"
],
"event_desc" => "Creating application",
"@timestamp" => 2017-01-24T10:47:12.657Z,
"log-level" => "INFO",
"logdate" => "11/28/2016 11:08:17 AM",
"@version" => "1",
"beat" => {
"hostname" => "ed15f9e21523",
"name" => "ed15f9e21523"
},
"host" => "ed15f9e21523",
"class" => "Mr"
}

2

With a date like 11/28/2016 your dd/MM/yyyy pattern is clearly wrong (flip the day and the month). Apart from that it looks okay.

3

It's working, thanks!

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.