Dateparse failure using the date filter

marco2005 · June 18, 2020, 6:57pm

I have a log line

Thu Jun 18 08:01:42 CEST 2020|{"timestamp":1592460102635,"caller":"test.customer@customer1","action":"LOGIN","message":"ID000066 User [test.customer@customer1] logged in successfully."}

This is my filter:

filter {
    dissect {
        mapping => {
            "message" => "%{log_timestamp}|%{data}"
        }
    }
    mutate {
        gsub => [ "data","[\\"]","" ]
    }
    kv {
        source => "data"
        field_split => ","
        value_split => ":"
        trim_key => "[\{]"
        trim_value => "[\}]"
        prefix => "audit_"
    }
    #Thu Jun 18 08:01:42 +0200 2020
    if ("CEST" in [log_timestamp]) {
        mutate {gsub => [ "log_timestamp", "CEST", "+0200" ]}
        date {
            match => [ "log_imestamp" , "E MMM dd HH:mm:ss Z yyyy" ]
            #remove_field => [ "log_timestamp" ]
        }
    }
    if ("CET" in [log_timestamp]) {
        mutate {gsub => [ "log_timestamp", "CET", "+0100" ]}
        date {
            match => [ "log_timestamp" , "E MMM dd HH:mm:ss Z yyyy" ]
            #remove_field => [ "log_timestamp" ]
        }
    }
    date {
        match => [ "log_timestamp" , "E MMM dd HH:mm:ss yyyy" ]
        #remove_field => [ "log_timestamp" ]
    }

}

This is the output with the dateparsefailure for log_timestamp. Could you please advise what I am doing wrong here?:

{
       "audit_caller" => "test.customer@customer1",
         "@timestamp" => 2020-06-18T18:51:54.716Z,
               "host" => "test@example.com",
            "message" => "Thu Jun 18 08:01:42 CEST 2020|{\"timestamp\":1592460102635,\"caller\":\"test.customer@customer1\",\"action\":\"LOGIN\",\"message\":\"ID000066 User [test.customer@customer1] logged in successfully.\"}",
               "data" => "{timestamp:1592460102635,caller:test.customer@customer1,action:LOGIN,message:ID000066 User [test.customer@customer1] logged in successfully.}",
      "audit_message" => "ID000066 User [test.customer@customer1] logged in successfully.",
           "@version" => "1",
    "audit_timestamp" => "1592460102635",
      "log_timestamp" => "Thu Jun 18 08:01:42 +0200 2020",
       "audit_action" => "LOGIN",
               "tags" => [
        [0] "_dateparsefailure"
    ]
}

Badger · June 18, 2020, 8:47pm

You need the Z for the timezone if you data looks like

"log_timestamp" => "Thu Jun 18 08:01:42 +0200 2020",

marco2005 · June 19, 2020, 9:34am

Thanks a lot.

system · July 17, 2020, 9:34am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date parse failure message strange behavior Logstash	3	476	February 3, 2020
Data parse error ["_dateparsefailure"] Logstash	9	1031	August 15, 2018
Date filter failer Logstash	2	394	February 20, 2018
Dateparse failure Logstash	3	306	January 15, 2021
Dateparse failure When trying to get date from xml file Logstash	8	657	May 14, 2020

Dateparse failure using the date filter

Related topics