Dateparse failure using the date filter

Elastic Stack Logstash
1

I have a log line

Thu Jun 18 08:01:42 CEST 2020|{"timestamp":1592460102635,"caller":"test.customer@customer1","action":"LOGIN","message":"ID000066 User [test.customer@customer1] logged in successfully."}

This is my filter:

filter {
    dissect {
        mapping => {
            "message" => "%{log_timestamp}|%{data}"
        }
    }
    mutate {
        gsub => [ "data","[\\"]","" ]
    }
    kv {
        source => "data"
        field_split => ","
        value_split => ":"
        trim_key => "[\{]"
        trim_value => "[\}]"
        prefix => "audit_"
    }
    #Thu Jun 18 08:01:42 +0200 2020
    if ("CEST" in [log_timestamp]) {
        mutate {gsub => [ "log_timestamp", "CEST", "+0200" ]}
        date {
            match => [ "log_imestamp" , "E MMM dd HH:mm:ss Z yyyy" ]
            #remove_field => [ "log_timestamp" ]
        }
    }
    if ("CET" in [log_timestamp]) {
        mutate {gsub => [ "log_timestamp", "CET", "+0100" ]}
        date {
            match => [ "log_timestamp" , "E MMM dd HH:mm:ss Z yyyy" ]
            #remove_field => [ "log_timestamp" ]
        }
    }
    date {
        match => [ "log_timestamp" , "E MMM dd HH:mm:ss yyyy" ]
        #remove_field => [ "log_timestamp" ]
    }

}

This is the output with the dateparsefailure for log_timestamp. Could you please advise what I am doing wrong here?:

{
       "audit_caller" => "test.customer@customer1",
         "@timestamp" => 2020-06-18T18:51:54.716Z,
               "host" => "test@example.com",
            "message" => "Thu Jun 18 08:01:42 CEST 2020|{\"timestamp\":1592460102635,\"caller\":\"test.customer@customer1\",\"action\":\"LOGIN\",\"message\":\"ID000066 User [test.customer@customer1] logged in successfully.\"}",
               "data" => "{timestamp:1592460102635,caller:test.customer@customer1,action:LOGIN,message:ID000066 User [test.customer@customer1] logged in successfully.}",
      "audit_message" => "ID000066 User [test.customer@customer1] logged in successfully.",
           "@version" => "1",
    "audit_timestamp" => "1592460102635",
      "log_timestamp" => "Thu Jun 18 08:01:42 +0200 2020",
       "audit_action" => "LOGIN",
               "tags" => [
        [0] "_dateparsefailure"
    ]
}
2

You need the Z for the timezone if you data looks like

"log_timestamp" => "Thu Jun 18 08:01:42 +0200 2020",
1 Like
3

Thanks a lot.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.