Dateparse failure

calanon · December 17, 2020, 1:58pm

I cannot find a way to either debug or fix this. I have provided below the log output and the various grok filters that are used. What can I do to fix this?

RAW Log output

  `logstash[23980]: [2020-12-17T14:19:12,925][WARN ]

Grok filters in Logstash

DATESTAMP_ADMIN_LOG %{YEAR}%{MONTHNUM}%{MONTHDAY} %{HOUR}%{MINUTE}%{SECOND}

\[%{DATESTAMP_ADMIN_LOG:log_timestamp}\] %{PID_B24:pid} %{LOGLEVEL:loglevel} - %{GREEDYDATA:message}

Date module in logstash

  date {
    match => [ "log_timestamp", "[yyyyMMdd HHmmss]", "yyyyMMdd HHmmss,SSS", "yyyy-MM-dd'T'HH:mm:ss", "yyyy-MM-dd HH:mm:ss ZZZ" ]
    target => "@timestamp"
    timezone => "Europe/Berlin"
    add_field => { "debug" => "timestampMatched" }
  }

JSON output in Elasticsearch

Dez 17 14:19:15 mon-01 logstash[23980]:     "log_timestamp" => "20201217 141912",
Dez 17 14:19:15 mon logstash[23980]:          "@version" => "1",
Dez 17 14:19:15 mon logstash[23980]:              "tags" => [
Dez 17 14:19:15 mon logstash[23980]:         [0] "live0",
Dez 17 14:19:15 mon logstash[23980]:         [1] "beats_input_codec_plain_applied",
Dez 17 14:19:15 mon logstash[23980]:         [2] "_dateparsefailure"
Dez 17 14:19:15 mon logstash[23980]:     ],

aaron-nimocks · December 17, 2020, 3:10pm

Try to change "[yyyyMMdd HHmmss]" to "yyyyMMdd HHmmss" in the below.

    match => [ "log_timestamp", "[yyyyMMdd HHmmss]", "yyyyMMdd HHmmss,SSS", "yyyy-MM-dd'T'HH:mm:ss", "yyyy-MM-dd HH:mm:ss ZZZ" ]

Your output of "log_timestamp" => "20201217 141912" doesn't have brackets around it.

calanon · December 18, 2020, 10:09am

@aaron-nimocks That worked and thanks very much.

I have the same problem with this one:

RAW output
[2020-12-17T16:45:45+01:00]

Elasticsearch JSON

Dez 18 11:03:58 mon logstash[23980]:     "log_timestamp" => "2020-12-18T11:03:56+01:00",
Dez 18 11:03:58 mon logstash[23980]:          "@version" => "1",
Dez 18 11:03:58 mon logstash[23980]:              "tags" => [
Dez 18 11:03:58 mon logstash[23980]:         [0] "live0",
Dez 18 11:03:58 mon logstash[23980]:         [1] "beats_input_codec_plain_applied",
Dez 18 11:03:58 mon logstash[23980]:         [2] "_dateparsefailure"

Grok match
\[%{TIMESTAMP_ISO8601:log_timestamp}\]

The match is the same as the post above.

system · January 15, 2021, 10:09am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.