Logstash _dateparsefailure error

gugansankar · November 29, 2015, 8:26am

How do I match the below timestamp value ?. I'm getting dateparsefailure error.

Log Timestamp:

        2015-11-28 16:46:41,553

Filter config:

grok {
match => [
"message", "%{TIMESTAMP_ISO8601:timestamp}"
]
}
date {
match => ["timestamp", "yyyy-MM-dd HH:mm:ss"]
timezone => "UTC"
add_field => { "Status" => "Matched"}

}
}

Output :

root@gugan:~/ELK# echo '2015-09-30 05:54:22,907' | /opt/logstash/bin/logstash -f test.config
Logstash startup completed
Failed parsing date from field {:field=>"timestamp", :value=>"2015-09-30 05:54:22,907", :exception=>"Invalid format: "2015-09-30 05:54:22,907" is malformed at ",907"", :config_parsers=>"yyyy-MM-dd HH:mm:ss", :config_locale=>"default=en_IN", :level=>:warn}
{
"message" => "2015-09-30 05:54:22,907",
"@version" => "1",
"@timestamp" => "2015-11-29T08:14:34.569Z",
"host" => "gugan",
"timestamp" => "2015-09-30 05:54:22,907",
"tags" => [
[0] "_dateparsefailure"
]
}
Logstash shutdown completed
root@gugan:~/ELK#

vtst2412 · November 29, 2015, 9:31am

  grok {
     match => ["message", "%{TIMESTAMP_ISO8601:timestamp}"]
  }
  date {
       match => ["timestamp", "yyyy-MM-dd HH:mm:ss,SSS"]
       timezone => "UTC"
       add_field => { "Status" => "Matched"}     # add_tag => [ "timestamp_matched"]
       remove_field => ["timestamp"]
   }

You don't really need the target field as @timestamp is the default target. It's good practice to remove the original timestamp field. And this probably also doesn't matter much, but instead of add_field, consider add_tag for marker/meta data like "matched".

magnusbaeck · November 29, 2015, 10:21am

The error message points to you ",907" as the problematic part, and indeed your date pattern clearly doesn't include the milliseconds. You need to use "yyyy-MM-dd HH:mm:ss,SSS".

gugansankar · November 29, 2015, 11:01am

no , its not working. still I'm getting the error.

root@gugan:~/ELK# echo '2015-11-28 16:46:41,587' | /opt/logstash/bin//logstash -f test.config
Logstash startup completed
Failed parsing date from field {:field=>"timestamp", :value=>"2015-11-28 16:46:41,587", :exception=>"Invalid format: "2015-11-28 16:46:41,587" is malformed at ",587"", :config_parsers=>"yyyy-MM-dd HH:mm:ss.SSS", :config_locale=>"default=en_IN", :level=>:warn}
{
"message" => "2015-11-28 16:46:41,587",
"@version" => "1",
"@timestamp" => "2015-11-29T11:01:52.949Z",
"host" => "gugan",
"timestamp" => "2015-11-28 16:46:41,587",
"tags" => [
[0] "_dateparsefailure"
]
}
Logstash shutdown completed
root@gugan:~/ELK#

magnusbaeck · November 29, 2015, 4:32pm

I'd expect it to work better if you try putting a comma before "SSS" instead of a period.

gugansankar · November 29, 2015, 4:57pm

Thanks, its working.

before post the issue here ,I used this .SSS option while debug this issue. But I did same mistake, Used period instead of comma.