Another dateparse failure

calanon · December 18, 2020, 11:33am

I cant figure out how to match this:

RAW output
[2020-12-17T16:45:45+01:00]

Elasticsearch JSON

Dez 18 11:03:58 mon logstash[23980]:     "log_timestamp" => "2020-12-18T11:03:56+01:00",
Dez 18 11:03:58 mon logstash[23980]:          "@version" => "1",
Dez 18 11:03:58 mon logstash[23980]:              "tags" => [
Dez 18 11:03:58 mon logstash[23980]:         [0] "live0",
Dez 18 11:03:58 mon logstash[23980]:         [1] "beats_input_codec_plain_applied",
Dez 18 11:03:58 mon logstash[23980]:         [2] "_dateparsefailure"

Date filter plugin

date {
    match => [ "log_timestamp", "yyyyMMdd HHmmss", "yyyyMMdd HHmmss,SSS", "yyyy-MM-dd'T'HH:mm:ss +0100" ]
    target => "@timestamp"
    timezone => "Europe/Berlin"
    add_field => { "debug" => "timestampMatched" }
  }

Grok match
\[%{TIMESTAMP_ISO8601:log_timestamp}\]

Badger · December 18, 2020, 3:06pm

That would be yyyy-MM-dd'T'HH:mm:ssZZ.

calanon · December 21, 2020, 8:51am

@Badger
Thanks for your reply badger but I am still getting a dateparsefailure with that pattern:

Dez 21 09:48:57 mon logstash[23980]:     "log_timestamp" => "2020-12-21T09:48:50+01:00",
Dez 21 09:48:57 mon logstash[23980]:          "@version" => "1",
Dez 21 09:48:57 mon logstash[23980]:              "tags" => [
Dez 21 09:48:57 mon logstash[23980]:         [0] "live0",
Dez 21 09:48:57 mon logstash[23980]:         [1] "beats_input_codec_plain_applied",
Dez 21 09:48:57 mon logstash[23980]:         [2] "_dateparsefailure" 

Dez 21 09:48:57 mon logstash[23980]:        "@timestamp" => 2020-12-21T08:48:51.000Z,
Dez 21 09:48:57 mon logstash[23980]:               "ecs" => {
Dez 21 09:48:57 mon logstash[23980]:         "version" => "1.5.0"
Dez 21 09:48:57 mon logstash[23980]:     },

Badger · December 21, 2020, 4:57pm

Not sure what would cause that. It works for me

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_field => { "log_timestamp" => "2020-12-18T11:03:56+01:00" } }
    date { match => [ "log_timestamp", "yyyy-MM-dd'T'HH:mm:ssZZ" ] target => "@timestamp" }
}
output  { stdout { codec => rubydebug { metadata => false } } }

results in

   "@timestamp" => 2020-12-18T10:03:56.000Z,

system · January 18, 2021, 4:57pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.