Date parsing with am:pm and timezone

ssasporta · November 21, 2017, 9:50pm

The date in my logs looks like that:

Nov 5, 2017 11:06:30 PM CST

I tried to parse it like that:

date {
                      match => [ "timestamp" , "MMM dd, yyyy KK:mm:ss aa Z" ]
}

or like that:

date {
                      match => [ "timestamp" , "MMM dd, yyyy HH:mm:ss aa Z" ]
}

But still getting the error:

[1] "_dateparsefailure"

What is the right way to parse this date format?

Thanks
Sharon.

Badger · November 21, 2017, 10:12pm

According to the docs, valid timezones are listed on this page, and CST is not one of them. Is that the same as CST6CDT?

mutate { gsub => [ "message", "CST", "CST6CDT" ] }
date { match => [ "message", "MMM d, yyyy HH:mm:ss a ZZZ" ] }

ssasporta · November 21, 2017, 10:41pm

Yes, it is the same , but still : "_dateparsefailure"

I tried few ways including yours.

  mutate {
                gsub => [ "timestamp", "CST", "CST6CDT" ]
            }
            
            date {
                  match => [ "timestamp", "MMM dd, yyyy hh:mm:ss aa Z" ]
    }

Thanks
Sharon.

ssasporta · November 21, 2017, 10:45pm

I think I found the issue. Will let you know.

Looks your answer was good.

ssasporta · November 21, 2017, 10:49pm

Your answer was actually perfect.

(I had two different timestamp fields in same events with same name)

Thanks a lot
Sharon.

system · December 19, 2017, 10:50pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash _dateparsefailure Logstash	4	415	August 31, 2018
Problem with Logstash date parse Logstash	3	1480	August 30, 2019
Time format 30.12.2019 14:06:00 GMT+00:00 Logstash	4	756	May 20, 2020
Date AM/PM format - Logstash filter date parse error Logstash	1	1751	July 6, 2017
Help _dateparsefailure Logstash	5	557	June 14, 2017

Date parsing with am:pm and timezone

Related topics