Dataparsefailure problem

filter {
    grok{
        match => [
            "message","\s*(\[(?<key1>[^:\]]*):(?<value1>[^\]]*)\])?"
                 ]
    }
    if [key1]{
			if [key1]=~ ".*Float\b"{
				mutate {
					convert => ["value1", "float"]
				}
				mutate {
					rename => ["value1", "%{key1}"]
				}
			}
			else{
				mutate{
						add_field => {
					        "%{key1}" => "%{value1}"
				        }
						remove_field => "value1"
				}
			}
			mutate{
				remove_field => "key1"
			}
	}
	if [TimeStamp]{
		grok{
			match => [
				"TimeStamp","%{TIMESTAMP_ISO8601:timestamp}"
			]
		}
		grok{
			match => [
				"timestamp","(?<indextime>[^\s]*)"
			]
		}
		mutate{
			add_field =>{
				"[@metadata][indexDate]" => "%{indextime}"
			}
		}	
		date {
			match => [ "timestamp", "ISO8601" ]
			target => "TS"
			locale => "en"
			}
#		mutate{
#			remove_field => "timestamp"
#		}
	}
}

when i input that
[TimeStamp:2018-02-02 11:59:31]
{
"indextime" => "2018-02-02",
"@timestamp" => 2018-04-25T07:43:07.548Z,
"tags" => [
[0] "_dateparsefailure"
],
"@version" => "1",
"message" => "[TimeStamp:2018-02-02 11:59:31]\r",
"host" => "BIH-D-6331",
"TimeStamp" => "2018-02-02 11:59:31",
"timestamp" => "2018-02-02 11:59:31"
}

I'm not sure ISO8601 works in this case. Try "YYYY-MM-dd HH:mm:ss" instead.

perfect answer！ thank you

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.