Date parsing with am:pm and timezone

ssasporta · November 21, 2017, 9:50pm

The date in my logs looks like that:

Nov 5, 2017 11:06:30 PM CST

I tried to parse it like that:

date {
                      match => [ "timestamp" , "MMM dd, yyyy KK:mm:ss aa Z" ]
}

or like that:

date {
                      match => [ "timestamp" , "MMM dd, yyyy HH:mm:ss aa Z" ]
}

But still getting the error:

[1] "_dateparsefailure"

What is the right way to parse this date format?

Thanks
Sharon.

Badger · November 21, 2017, 10:12pm

According to the docs, valid timezones are listed on this page, and CST is not one of them. Is that the same as CST6CDT?

mutate { gsub => [ "message", "CST", "CST6CDT" ] }
date { match => [ "message", "MMM d, yyyy HH:mm:ss a ZZZ" ] }

ssasporta · November 21, 2017, 10:41pm

Yes, it is the same , but still : "_dateparsefailure"

I tried few ways including yours.

  mutate {
                gsub => [ "timestamp", "CST", "CST6CDT" ]
            }
            
            date {
                  match => [ "timestamp", "MMM dd, yyyy hh:mm:ss aa Z" ]
    }

Thanks
Sharon.

ssasporta · November 21, 2017, 10:45pm

I think I found the issue. Will let you know.

Looks your answer was good.

ssasporta · November 21, 2017, 10:49pm

Your answer was actually perfect.

(I had two different timestamp fields in same events with same name)

Thanks a lot
Sharon.

Topic		Replies	Views
Date filter with timestamp Logstash	2	554	July 6, 2017
Logstash time parsing error Logstash	4	1660	July 6, 2017
Logstash Date parsing (with AM/PM data) for YYYY-MM-dd HH:mm:ss,SSS format Logstash	4	3395	July 18, 2019
Problem with Logstash date parse Logstash	3	1522	August 30, 2019
Failed parsing date from field Logstash	2	884	July 6, 2017

Date parsing with am:pm and timezone

Related topics