Grokparsefailure when I add a date filter

Hello,

I'm encoutering a strange behaviour when using a date plugin.
I have the following configuration:

input {
file {
path => "/var/log/clients/tpxent06s/"
type => "logs_yoneos_preprod"
exclude => ".gz"
}
}

filter {
grok {
match => { "message" => "%{NOTSPACE:terminalId} %{NOTSPACE:date} %{NOTSPACE:time} %{NOTSPACE:file} %{DATA:application} %{NOTSPACE:word} %{INT:firstInt} %{INT:secondInt} NULL"}
}
mutate { gsub => ["time", ".\d{6}$", ""]}
mutate { add_field => { "dateTime" => "%{date} %{time}" } }
date { match => ["dateTime", "yyyy-MM-dd"] }
}

output {
elasticsearch {
hosts => ["xx.xx.xxx.xx:9200"]
index => "tapandgo_yoneo"
}
}

Sample data:

00071131 2019-08-11 22:10:26.668000 util.c TAP Buffer App openLog 1078 40 NULL [-1] [ERROR] [../src/manager/tapManager.c:435 TapManager_SendTaps_Callback] Unable to send the tap, we break the loop\n\n
00071131 2019-08-11 22:10:26.721000 util.c TAP Buffer App openLog 1064 20 NULL [-1] [INFO] [../src/manager/bddManager.c:172 Database_AddTapRejected] Tap Rejected has been added in database\n

The results is that all lines from my log files are tagged with grokparsefailure.
If I comment the date plugin, my log lines are correctly parsed.

Do you have any ideao of what's going on?

Thanks.

Your data is tab separated. Is it possible that when you edit the configuration the editor is switching from space separated to tab separated?

Hello Badger,

Thanks for your answer.
I checked and tabs are OK after edition.
If I only comment the date plugin, I go back to a situation where the log is correctly parsed.

Hello,

Problem solved.
I am not sure of the exact cause but it seems it was solved by adding the correct encoding in the file in put plugin.

Benoît

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.