Dateparse error out of the blue

kottapar · July 2, 2017, 10:36am

Hey guys,

The logstash filter for the ESX messages was working fine. However out of the blue it started throwing _dateparse errors.

{
           "msg" => "bound to 16.54.5.10 -- renewal in 255 seconds.",
           "pid" => "37081",
       "program" => "dhclient-uw",
       "message" => "bound to 16.54.5.10 -- renewal in 255 seconds.",
     "logsource" => "esxs01",
          "tags" => [
        [0] "_dateparsefailure"
    ],
    "@timestamp" => 2017-07-02T10:24:41.000Z,
          "host" => "10.15.13.84",
     "timestamp" => "Jul  2 10:24:41"
}

My filter with the date stanza is

filter {
  if [logsource] =~ "esxs0[1,2].*" {
    date {
      match => [ "timestamp", "MMM dd HH:mm:ss" ]
      locale => "en"
      timezone => "UTC"
    }

I'm still investigating but posting if anyone has already faced something similar to this.

kottapar · July 2, 2017, 10:50am

My bad. I made an elementary mistake
Here's my new filter. I didn't take into account "MMM d HH:mm:ss"

filter {
  if [logsource] =~ "esxs0[1,2].*" {
    date {
      match => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
      locale => "en"
      timezone => "UTC"
    }

system · July 30, 2017, 10:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.