Getting _dateparsefailure error

niudaye123 · March 30, 2020, 5:16am

Hi,
I am getting _dateparsefailure in tags, Not sure why it is. I checked the date match format and did not see any issue though, Any idea what's the issue? thanks!

Here is the original message:

Mar 27 16:48:18.875 PDT: %SYS-5-CONFIG_I: Configured from console by net-cmonks on vty0 (10.157.8.116)

The following are part of the script:

filter {
  # NOTE: The frontend logstash servers set the type of incoming messages.
  if [type] == "syslog-cisco" {
    # The switches are sending the same message to all syslog servers for redundancy, this allows us to
    ## only store the message in elasticsearch once by generating a hash of the message and using that as
    ## the document_id.
    fingerprint {
      source              => [ "message" ]
      method              => "SHA1"
      key                 => "Some super secret passphrase for uniqueness."
      concatenate_sources => true
    }

    # Parse the log entry into sections.  Cisco doesn't use a consistent log format, unfortunately.
    grok {
      # There are a couple of custom patterns associated with this filter.
      #patterns_dir => [ "/opt/logstash/patterns" ]
      patterns_dir => [ "/etc/logstash/conf.d/patterns" ]

      match => [
        # IOS
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?:( %{NUMBER}:)? %{CISCOTIMESTAMPTZ:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",

        # Nexus
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}",
        "message", "%{SYSLOG5424PRI}(%{NUMBER:log_sequence#})?: %{NEXUSTIMESTAMP:log_date}: %%{CISCO_REASON:facility}-%{CISCO_REASON:facility_sub}-%{INT:severity_level}-%{CISCO_REASON:facility_mnemonic}: %{GREEDYDATA:message}"
      ]

      overwrite => [ "message" ]

      add_tag => [ "cisco" ]

      remove_field => [ "syslog5424_pri", "@version" ]

      remove_field => ["tag_on_failure"]
    }
  }

  # If we made it here, the grok was sucessful
  if "cisco" in [tags] {
    date {
      match => [
        "log_date",

        # IOS
        "MMM dd HH:mm:ss.SSS ZZZ",
        "MMM  d HH:mm:ss.SSS ZZZ",
        "MMM dd HH:mm:ss ZZZ",
        "MMM  d HH:mm:ss ZZZ",
        "MMM dd HH:mm:ss.SSS",
        "MMM  d HH:mm:ss.SSS",


        # Nexus
        "YYYY MMM dd HH:mm:ss.SSS ZZZ",
        "YYYY MMM dd HH:mm:ss ZZZ",
        "YYYY MMM dd HH:mm:ss.SSS",

        # Hail marry
        "ISO8601"
      ]
    }
```````````````````````````````````````````

Badger · March 30, 2020, 3:13pm

PDT is not a supported timezone name. You can use mutate+gsub to change it to something less ambiguous.

system · April 27, 2020, 3:28pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.