Getting _dateparsefailure tag

Hari_Krishna · April 29, 2020, 1:30pm

I have to replace the @timestamp in kibana with the timestamp in my log.But when i try to do that it doesn't replace, but it adds a _dateparsefailure tag.
Here is my filter

filter {

grok
{
    break_on_match => false
    pattern_definitions => { "mssg"      => "((Msg|message|Message|message1|message2|Message1|Message2) [=])"
                             "nhchg"     => "%{WORD} -> %{WORD}"
                             "debug"  => "NDP-DBG"
                            }
    match => {
            "message" => ["%{TIMESTAMP_ISO8601:timestamp} %{WORD:node}:%{WORD:program}:%{INT:pid} %{WORD:tracetype}.*%{mssg} \"%{GREEDYDATA:Message}\""]
            "Message" => ["%{debug:NDPdebug}:%{DATA:function}:%{INT:line}:: %{GREEDYDATA:msg}", "NexthopId %{WORD:nexthop_id}", "state %{WORD:state}", "event %{WORD:event}", "Prefix %{DATA:prefix}/", "NhType_change %{nhchg:nhtype_change}"]
}
  }
date {
    match => ["timestamp","ISO8601","yyyy-MM-dd HH:mm:ss"]
    target => "@timestamp"
 }
}

Here is my log
2020-04-28 16:47:43.663882033 re0:ndp:13273 lltp_debug message = "NDP-DBG:ndp_dad_stop:273:: ndp_dad_stop: DAD structure not found"

Badger · April 29, 2020, 1:45pm

It would not surprise me if that grok failed, but if it parses [timestamp] as 2020-04-28 16:47:43.663882033, with 9 digits of subsecond precision then you need a matching date filter

date { match => [ "timestamp", "yyyy-MM-dd HH:mm:ss.SSSSSSSSS" ] }

Hari_Krishna · April 29, 2020, 2:00pm

Hi Badger,

Now i dont see the error
But I see that the hour and minute seems to be different. Do i need to change any timezone?
And i also need the 9 digits of subseconds in @timestamp

          @timestamp	                             timestamp 
Apr 17, 2020 @ 06:16:17.841	      2020-04-17 11:46:17.841003766

Badger · April 29, 2020, 2:17pm

You can use the timezone option on the date filter to tell it what timezone your logs use. elasticsearch always stores dates as UTC. kibana will map it to the browser's timezone.

Not going to happen. elasticsearch has a date_nanos type, but logstash has no support for anything beyond milliseconds.

Hari_Krishna · April 29, 2020, 2:54pm

Thanks.

system · May 27, 2020, 2:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_dateparsefailure when trying to overwrite @timestamp Logstash	8	149	June 7, 2024
There is no dateparsefailure in the tag,but it does not work Logstash	10	555	June 6, 2018
Date FIlter - _dateparsefailure [SOLVED] Logstash	21	21602	November 4, 2022
@Timestamp is not matching event timestamp _dateparsefailure Logstash	3	162	November 2, 2023
_dataparsefailure in tags Logstash	9	1475	October 22, 2019

Getting _dateparsefailure tag

Related topics