Another one _dateparsefailure error

m0nhawk · January 26, 2017, 12:13pm

I have the following config:

input {
    file {
        path => "/root/logs/test.log"
        type => "accesslog"
        start_position => beginning
        sincedb_path => "/dev/null"
        ignore_older => 0
    }
}
filter {
    grok {
        match => ["message", "(?<datetime>%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{HOUR}:%{MINUTE}:%{SECOND})"]
    }
    date {
        match => ["datetime", "yyyy:MM:dd HH:mm:ss"]
        target => "@timestamp"
    }
}
output {
    stdout { codec => rubydebug }
}

And log (one line for easy checking):

2016-10-01 00:00:23

And when I run logstash, I get an error:

{
          "path" => "/root/logs/test.log",
      "datetime" => "2016-10-01 00:00:23",
    "@timestamp" => 2017-01-26T12:13:01.216Z,
      "@version" => "1",
          "host" => "ax-2",
       "message" => "2016-10-01 00:00:23",
          "type" => "accesslog",
          "tags" => [
        [0] "_dateparsefailure"
    ]
}

I have looked for dozens of topics, but have no idea why it is failing. I'm using latest ELK on Ubuntu 14.04.

magnusbaeck · January 26, 2017, 12:16pm

Here's your date:

2016-10-01 00:00:23

Here's your pattern:

yyyy:MM:dd HH:mm:ss

You have too many colons in your pattern.

m0nhawk · January 26, 2017, 12:24pm

Thanks you! Now everything is works on original config (I've also found few more issues in the grok pattern, thanks to you).

system · February 23, 2017, 12:24pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.