Logstash Data parsing error - _dateparsefailure

aswinkumart · June 30, 2017, 8:48pm

I am trying to parse the Time format "timestamp" => "27/06/17 11:19:53:053 EDT" - I tried the following match pattarns in Logstash Filter but I am getting _dateparsefailure error

Filter in Logstash:
------------------------
filter {
if [type] == "app-log"
{

grok {
            match => ["message", "\[%{GREEDYDATA:timestamp}\] %{GREEDYDATA:message}"]
     }

date {
    locale => "en"
    #match => ["timestamp", "dd/MM/yy HH:mm:ss:SSS Z"]
match => [ "timestamp", "ISO8601" ]
    timezone => "UTC"
    target => "@logtimestamp"
    }
}
}

Data output in stdout:
--------------------------------
"@timestamp" => 2017-06-30T20:47:14.468Z,
"offset" => 949,
"@version" => "1",
"input_type" => "log",
"beat" => {
"hostname" => "XXXXXXXXXXXX",
"name" => "XXXXXXXXXX",
"version" => "5.2.2"
},
"host" => "XXXXXXXXXXXXX",
"source" => "D:\ELK\filebeat\source\YYYY.log",
"message" => [[XXXXXXXXXXXX],
"type" => "app-log",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_dateparsefailure"
],
"timestamp" => "27/06/17 11:19:53:053 EDT"

magnusbaeck · July 3, 2017, 5:36am

The Logstash log should contain information about what the date filter finds objectionable, but you can start by deleting

match => [ "timestamp", "ISO8601" ]

since your timestamp clearly isn't ISO8601, and then reinstating

match => ["timestamp", "dd/MM/yy HH:mm:ss:SSS Z"]

which should be okay except that the date filter can't parse timezone names like EDT.

aswinkumart · July 6, 2017, 7:13pm

Thanks for the reply. It worked for me!

Topic		Replies	Views
Data parse error ["_dateparsefailure"] Logstash	9	1097	August 15, 2018
__dateparsefailure trying match date Logstash	2	461	October 14, 2017
Logstash Date Parse failure Logstash	5	938	December 13, 2021
Yet another _dateparsefailure Logstash	8	2068	July 6, 2017
Logstash _dateparsefailure Logstash	4	449	August 31, 2018

Logstash Data parsing error - _dateparsefailure

Related topics