Keep getting dateparsefailures in Nexus logs

niudaye123 · April 15, 2020, 11:26pm

Hi,
I keep getting the dateparsefailure from a Nexus device, could not figure out what's wrong, can someone take a quick look? Thanks a lot!

{
"_index": "network-2020.04.14",
"_type": "_doc",
"_id": "OaQHd3EB-3-fVVnV4l2f",
"_version": 1,
"_score": 0,
"_source": {
"log_date": "2020 Apr 13 21:52:17.496 Pacific Daylight Time",
"host": "10.149.10.134",
"facility": "ETH_PORT_CHANNEL",
"tags": [
"cisco",
"_dateparsefailure"
],
"@timestamp": "2020-04-14T04:52:17.514Z",
"severity_level": "5 - Notification",
"type": "syslog-cisco",
"fingerprint": "852be74a10a7a7dc4b7804789b39449e6eaf2639",
"message": "port-channel110: Ethernet1/10 is down",
"facility_mnemonic": "PORT_DOWN"
},
"fields": {
"@timestamp": [
"2020-04-14T04:52:17.514Z"
]
},
"highlight": {
"host": [
"@kibana-highlighted-field@10.149.10.134@/kibana-highlighted-field@"
],
"host.keyword": [
"@kibana-highlighted-field@10.149.10.134@/kibana-highlighted-field@"
]
}
}

The following is my filter for date:

date {
match => [
"log_date",

    # IOS
    "MMM dd HH:mm:ss.SSS ZZZ",
    "MMM  d HH:mm:ss.SSS ZZZ",
    "MMM dd HH:mm:ss ZZZ",
    "MMM  d HH:mm:ss ZZZ",
    "MMM dd HH:mm:ss.SSS",
    "MMM  d HH:mm:ss.SSS",


    # Nexus
    "YYYY MMM dd HH:mm:ss.SSS ZZZ",
    "YYYY MMM dd HH:mm:ss ZZZ",
    "YYYY MMM dd HH:mm:ss.SSS",

    # Hail marry
    "ISO8601"
  ]

Badger · April 16, 2020, 12:52am

Joda has a list of timezone names that it supports, and that is not on it. You can use mutate+gsub to replace the timezone name with something that Joda supports.

niudaye123 · April 17, 2020, 9:03pm

Hi Badger, thanks for the reply, I do have a mutate+gsub as below right before the date filter. But that seems it doesn't work, what should it be changed to?

if "cisco" in [tags] {

# Add the following to get timezone right.
mutate {
  gsub => [
    "log_date", "PDT", "Pacific Daylight Time"
  ]
  gsub => [
    "log_date", "PST", "Pacific Standard Time"
  ]
}

Badger · April 17, 2020, 10:06pm

Try

mutate { gsub => [ "log_date", "PST|PDT", "PST8PDT" ] }

niudaye123 · April 20, 2020, 10:12pm

That works! Thank you!

system · May 18, 2020, 10:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.