_dataparsefailure in tags

zebu14 · September 24, 2019, 9:11am

Hello,

I think this issue is very common but I am still searching for a solution.

I have this log line :

Mar 9 02:20:42 dvgospxi1 (squid-1): 09/Mar/2017:02:20:42 +0100 - TCP_DENIED 403 10.117.56.12:47151 3529 GET http://intranoo.zzz.fr/ text/html 3428 HIER_NONE - 10.170.226.63 3128 0

(note the two spaces between "Mar" and "9")

Then, this is my grok filter to parse the date :

grok {
match => {
"message" => "%{SYSLOGTIMESTAMP:syslog_timestamp}.*%{NUMBER:duration:int}"
}
}
    date {
      match => [ "syslog_timestamp", "MMM dd HH:mm:ss" ]
      timezone => "Europe/Paris"
    }

In kibana, I obtain the tag "_dateparsefailure and my timestamp doesn't correspond to the log date but the indexation date.

I think it's all about the two spaces between the month and day, but to handle them in the dissect filter, I usually use the "->" to indicate padding.
There, in the grok filter, I don't know how to handle this.

Any help appreciated.
Thanks

chandu5565 · September 24, 2019, 9:35am

Try this date filter

date {
match => [ "syslog_timestamp", "MMM d HH:mm:ss" ]
}
}

zebu14 · September 24, 2019, 9:42am

Yes, I can.
But I think it will be a problem for days above 9 ... no ?

The goal is to handle 1 digit and 2 digits days.

chandu5565 · September 24, 2019, 9:48am

It will work if the date is of 2 digit.

chandu5565 · September 24, 2019, 9:56am

For your clarification run the below configuration and change the date in stdin after running configuration.


input { stdin {} }


filter {
   grok {
match => {"message" => "%{SYSLOGTIMESTAMP:syslog_timestamp}"}
  }
   date {
      match => [ "syslog_timestamp", "MMM d HH:mm:ss" ]
        }
  }
  
output {
   stdout {}
}

admlko · September 24, 2019, 10:12am

Just define multiple patterns, one for 1 digit, another for 2 digits:

date {
  match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}

zebu14 · September 24, 2019, 1:28pm

Seems to be OK like that.

Thank you for clarification.

zebu14 · September 24, 2019, 1:30pm

Tried with this method but still got _dateparsefailure

The previous one from chandu5565 is ok.

Badger · September 24, 2019, 2:00pm

The SYSLOGTIMESTAMP pattern will handle there being two spaces. In a date filter "MMM d HH:mm:ss" will match both

Mar 9 02:20:42
Mar 19 02:20:42

with a single space, but to handle two spaces you need to add a second pattern to the filter

date { match => [ "syslog_timestamp", "MMM d HH:mm:ss", "MMM  d HH:mm:ss" ] }

system · October 22, 2019, 2:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.