Dateparse error out of the blue

kottapar · July 2, 2017, 10:36am

Hey guys,

The logstash filter for the ESX messages was working fine. However out of the blue it started throwing _dateparse errors.

{
           "msg" => "bound to 16.54.5.10 -- renewal in 255 seconds.",
           "pid" => "37081",
       "program" => "dhclient-uw",
       "message" => "bound to 16.54.5.10 -- renewal in 255 seconds.",
     "logsource" => "esxs01",
          "tags" => [
        [0] "_dateparsefailure"
    ],
    "@timestamp" => 2017-07-02T10:24:41.000Z,
          "host" => "10.15.13.84",
     "timestamp" => "Jul  2 10:24:41"
}

My filter with the date stanza is

filter {
  if [logsource] =~ "esxs0[1,2].*" {
    date {
      match => [ "timestamp", "MMM dd HH:mm:ss" ]
      locale => "en"
      timezone => "UTC"
    }

I'm still investigating but posting if anyone has already faced something similar to this.

kottapar · July 2, 2017, 10:50am

My bad. I made an elementary mistake
Here's my new filter. I didn't take into account "MMM d HH:mm:ss"

filter {
  if [logsource] =~ "esxs0[1,2].*" {
    date {
      match => [ "timestamp", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss" ]
      locale => "en"
      timezone => "UTC"
    }

system · July 30, 2017, 10:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_dateparsefailure again Logstash	3	1148	June 27, 2017
Date parse failure message strange behavior Logstash	3	476	February 3, 2020
Logstash Data parsing error - _dateparsefailure Logstash	3	2846	August 3, 2017
Data parse error ["_dateparsefailure"] Logstash	9	1031	August 15, 2018
Date filter issues Logstash	3	485	July 6, 2017

Dateparse error out of the blue

Related topics