Getting _dateparsefailure for a log file having two timestamps

Patr123 · November 18, 2021, 9:14pm

Hello My log file looks like:

[
  {
    "textPayload": "{'testkey': 'testvalue'}",
    "insertId": "12345-12345",
    "resource": {
      "type": "cloud_function",
      "labels": {
        "project_id": "project-p123",
        "region": "us-east4",
        "function_name": "testfunction"
      }
    },
    "timestamp": "2021-11-16T16:07:56.647Z",
    "severity": "INFO",
    "labels": {
      "execution_id": "uji09345"
    },
    "logName": "projects/project-p123/logs/cloudfunctions",
    "trace": "projects/project-p123/traces/uhne1234",
    "receiveTimestamp": "2021-11-16T16:08:06.721583231Z"
  }
]

And my filter looks like:

filter {
            date { 
                match => ["timestamp", "ISO8601"]
                target => ["@timestamp"]
                remove_field => ["timestamp"] 
            }
            date { 
                match => ["receiveTimestamp", "ISO8601"]
                target => ["receiveTimestamp"]
                #remove_field => ["receiveTimestamp"] 
            }
        }

All the other fields are coming in perfectly fine except the timestamps.
Please help in fixing this issue.
Thank you.

AquaX · November 18, 2021, 9:37pm

Can you post an example of what it is coming in as?

Patr123 · November 18, 2021, 9:52pm

This is what I get:

AquaX · December 7, 2021, 4:10pm

It's in the tags! You have a _dateparsefailure. Also that screenshot is not the same as your example.

This is probably because your receiveTimestamp may be too precise for the date filter.
Anything beyond milliseconds is not parsed iirc.
It don't see any problems with your timestamp

Have you tried not using the date filter and letting Elasticsearch recognize the timestamp on its own?

system · January 4, 2022, 4:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.