Getting _dateparsefailure tag

Hari_Krishna · April 29, 2020, 1:30pm

I have to replace the @timestamp in kibana with the timestamp in my log.But when i try to do that it doesn't replace, but it adds a _dateparsefailure tag.
Here is my filter

filter {

grok
{
    break_on_match => false
    pattern_definitions => { "mssg"      => "((Msg|message|Message|message1|message2|Message1|Message2) [=])"
                             "nhchg"     => "%{WORD} -> %{WORD}"
                             "debug"  => "NDP-DBG"
                            }
    match => {
            "message" => ["%{TIMESTAMP_ISO8601:timestamp} %{WORD:node}:%{WORD:program}:%{INT:pid} %{WORD:tracetype}.*%{mssg} \"%{GREEDYDATA:Message}\""]
            "Message" => ["%{debug:NDPdebug}:%{DATA:function}:%{INT:line}:: %{GREEDYDATA:msg}", "NexthopId %{WORD:nexthop_id}", "state %{WORD:state}", "event %{WORD:event}", "Prefix %{DATA:prefix}/", "NhType_change %{nhchg:nhtype_change}"]
}
  }
date {
    match => ["timestamp","ISO8601","yyyy-MM-dd HH:mm:ss"]
    target => "@timestamp"
 }
}

Here is my log
2020-04-28 16:47:43.663882033 re0:ndp:13273 lltp_debug message = "NDP-DBG:ndp_dad_stop:273:: ndp_dad_stop: DAD structure not found"

Badger · April 29, 2020, 1:45pm

It would not surprise me if that grok failed, but if it parses [timestamp] as 2020-04-28 16:47:43.663882033, with 9 digits of subsecond precision then you need a matching date filter

date { match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ] }

Hari_Krishna · April 29, 2020, 2:00pm

Hi Badger,

Now i dont see the error
But I see that the hour and minute seems to be different. Do i need to change any timezone?
And i also need the 9 digits of subseconds in @timestamp

          @timestamp	                             timestamp 
Apr 17, 2020 @ 06:16:17.841	      2020-04-17 11:46:17.841003766

Badger · April 29, 2020, 2:17pm

You can use the timezone option on the date filter to tell it what timezone your logs use. elasticsearch always stores dates as UTC. kibana will map it to the browser's timezone.

Not going to happen. elasticsearch has a date_nanos type, but logstash has no support for anything beyond milliseconds.

Hari_Krishna · April 29, 2020, 2:54pm

Thanks.

system · May 27, 2020, 2:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.