hi guys,
can you assist why below does not parse input data coming as
Wed Dec 02 11:11:03 Asia/Riyadh 2020
date { match => [ "Timestamp", "EEE MMM dd HH:mm:ss ZZZ yyyy"] target => "@timestamp" }
It works for me...
"Timestamp" => "Wed Dec 02 11:11:03 Asia/Riyadh 2020",
"@timestamp" => 2020-12-02T08:11:03.000Z
hi badger,
still gettnig dateparsefailure ...plz see complete code
filter {
kv{
source => "message"
field_split => "\n"
value_split => ":"
}
mutate { gsub => [ "time", "AST", "Asia/Riyadh" ] }
date {match => [ "time", "EEE MMM dd HH:mm:ss ZZZ yyyy"]}
}
output {
stdout {
codec => "rubydebug"
}
}```
time:Wed Dec 02 02:53:39 AST 2020
{
"@timestamp" => 2020-12-10T08:13:46.874Z,
"tags" => [
[0] "_dateparsefailure"
],
"@version" => "1",
"time" => "Wed Dec 02 02:53:39 Asia/Riyadh 2020\r",
"message" => "time:Wed Dec 02 02:53:39 AST 2020\r",
}The reason you are seeing _dateparsefailure might be because of \r at the end in your message field.
time:Wed Dec 02 02:53:39 AST 2020
{
"@timestamp" => 2020-12-01T23:53:39.000Z,
"time" => "Wed Dec 02 02:53:39 Asia/Riyadh 2020",
"message" => "time:Wed Dec 02 02:53:39 AST 2020",
"@version" => "1",
}
time:Wed Dec 02 02:53:39 AST 2020\r
{
"@timestamp" => 2020-12-10T08:57:46.645Z,
"time" => "Wed Dec 02 02:53:39 Asia/Riyadh 2020\\r",
"message" => "time:Wed Dec 02 02:53:39 AST 2020\\r",
"@version" => "1",
"tags" => [
[0] "_dateparsefailure"
]
}
thanks
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.