Date filter issues

Kryten · November 24, 2015, 1:45pm

Having problems updating the @timestamp value for my messages. Would appreciate any insight into what might be going wrong here.

Sample log line:-
2015-11-24 11:44:55,888 INFO [com.blandio.ct.avd.dao.CSDAO: 238] - Disconnect received.

My date filter looks like:
filter {

		grok {
			match	=> ["message","(?<tstamp>\d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\,\d{3})"]
		}
		date {
			match => [ "%{tstamp}","yyyy-MM-dd HH:mm:ss,SSS" ]
		}
}

so in this case I am capturing the timestamp with a grok and then using the field the grok creates as the value for date to match against. This fails as tthe @timestamp value is just the logstash parse time not the log event time.

I have tried without the initial grok - just the same. I have tried using lowercase "mm" for the month - just the same.
I have tried using locale and target parameters to update an existing field - just the same.

Would appreciate any help as to why this is failing.

Many thanks.

magnusbaeck · November 24, 2015, 1:46pm

match => [ "%{tstamp}","yyyy-MM-dd HH:mm:ss,SSS" ]

Correct:

match => [ "tstamp","yyyy-MM-dd HH:mm:ss,SSS" ]

Kryten · November 24, 2015, 1:49pm

Awesome!
Yep that did it. Interestingly, without the grok I get a [dateparsefailure] tag.. I thought that grokking out a nice clean value would help... trust me to not reference it properly though!
Thank you!

Topic		Replies	Views
_dateparsefailure again Logstash	3	1148	June 27, 2017
Strugging with the date filter Logstash	3	531	July 25, 2018
Date filter dateparsefailure Logstash	2	297	February 7, 2020
Date Filter Doesn't Work Logstash	6	923	November 2, 2018
_dateparsefailure when trying to overwrite @timestamp Logstash	8	146	June 7, 2024

Date filter issues

Related Topics