Dateparsefailure - Mac Syslogs

TCBeeekley · May 3, 2018, 6:12pm

Hello!

Brand new to the Elasticstack, I have a question about date filtering. Here's the sample message:

May 3 14:08:41 foo-hostname com.apple.xpc.launchd[1] (com.apple.preference.displays.MirrorDisplays): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.

Here's the filter from my yml file:

filter {
  grok{
    match => [ "message", "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:syslog_message}" ]
  }
  date {
    match  => [ "syslog_timestamp", "MMM dd HH:mm:ss" ]
  }
}

It's giving me a dateparsefailure tag and I can't seem to figure out why...

Thanks!

Tim

magnusbaeck · May 3, 2018, 6:29pm

You use "dd" in your pattern but the day of month (3) is only one character long. You need to list two patterns in your filter; one with "dd" and one with "d".

TCBeeekley · May 7, 2018, 7:21pm

That was it! Thanks!

system · June 4, 2018, 7:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.