Date parsing can't update timestamp

Yaohua · July 28, 2017, 3:32am

the date parsing is successful,but the @timestamp not updated
This is my logstash

input {
  stdin { codec => json}
  beats {
     port => 5043
   }
}
filter {
      grok {
           patterns_dir => ["/etc/logstash/patterns/"]
           #match => { "log"=> ["%{DOCKER_TIME:drop_time} %{GREEDYMULTILINE:msg}","\[%{DATA:server}\] %{IPORHOST:ip} - - \[%{HTTPDATE:drop_time}\] %{GREEDYMULTILINE:msg}","\[%{TEST:Ttime}\,%{DATA:drop_data}: %{DATA:level}\] %{GREEDYMULTILINE:msg}"]}
           match => { "log" => ["\[%{TEST:Ttime}\,%{DATA:drop_data}: %{DATA:level}\] %{GREEDYMULTILINE:msg}"]}
           pattern_definitions => { "GREEDYMULTILINE" => "(.|\n)*" }
           remove_field => ["log","server","drop_data"]
           }
      date {
      match => [ "Ttime", ISO8601,"MMM  d HH:mm:ss", "MMM dd HH:mm:ss","yyyy-mm-dd HH:mm:ss","dd/MMM/yyy:HH:mm:ss" ]
      target => "@timestamp"
      #remove_field => "drop_time"
      locale => "en"
      timezone => "Asia/Shanghai"
      }

}

output {
  stdout { codec => rubydebug }

My input is

{"log":"[2017-07-28 10:16:53,636: INFO/MainProcess] Received task: utils.tasks.corporation_creamcone_events_notification[f11aa3af-4396-4490-be57-d6910d2c5aa1]  \n","stream":"stderr","time":"2017-07-28T02:16:53.636997028Z"}

the logstash output as following

{
           "msg" => "Received task: utils.tasks.corporation_creamcone_events_notification[f11aa3af-4396-4490-be57-d6910d2c5aa1]  \n",
    "@timestamp" => 2017-01-28T02:16:53.000Z,
        "stream" => "stderr",
         "level" => "INFO/MainProcess",
         "Ttime" => "2017-07-28 10:16:53",
      "@version" => "1",
          "host" => "vm1",
          "time" => "2017-07-28T02:16:53.636997028Z"
}

The TEST pattern as follows
TEST \d{4}-\d{2}-\d{2} %{TIME}

The @timestamp not update!

magnusbaeck · August 5, 2017, 6:27pm

I think you have another date filter in your configuration that incorrectly uses "DD" instead of "dd", because "DD" means "day of the year", and the 28th day of the year is 2017-01-28.

system · September 2, 2017, 6:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date Parsing ignored in Logstash-->@timestamp not updated Logstash	3	736	December 12, 2016
Date filter issues Logstash	3	485	July 6, 2017
_dateparsefailure when trying to overwrite @timestamp Logstash	8	147	June 7, 2024
Date Filter Doesn't Work Logstash	6	923	November 2, 2018
Grok date parsing trouble Logstash	3	23022	July 6, 2017

Date parsing can't update timestamp

Related topics