Date Parse Failure for dd-MMM-yy h:mm:ss a z

sallehuddin · July 14, 2016, 1:11pm

I've been scratching my head for hours trying to figure out why the following datetime format failed to be properly detected by date filter of logstash.

I have the following sample data from csv file:
09-Jul-16 10:00:00 PM SGT,64.2
09-Jul-16 10:15:00 PM SGT,64.3
09-Jul-16 10:30:00 PM SGT,63.9

I've used the following filter to separate the two column and after that try to use the first column to set the @timestamp:

csv {
      columns => ["datadate", "rh"]
      separator => ","
    }

date {
      match => [ "datadate", "dd-MMM-yy h:mm:ss a z" ]
}

however, the date filter failed to match with _dateparsefailure in the indexed data. Can anybody point to me where did I make the mistakes?

Thanks.

fbaligand · July 14, 2016, 2:25pm

Hi,

The problem is the timezone part. All the rest is OK.

2 things to fix your problem :

replace 'z' by 'ZZZ' in your match pattern
SGT is unfortunately not recognized by joda time library. So I invite you to replace 'SGT' word by 'Singapore'. You can do that using mutate filter.

sallehuddin · July 15, 2016, 2:26am

Thank you Fabien. I'll see how I can do a workaround using your suggestion then.

I should have checked this document earlier to save time

http://joda-time.sourceforge.net/timezones.html

fbaligand · July 15, 2016, 6:19am

You're welcome:)