Logstash - Date function - Mapping timestamp ends with error _dateparsefailure when a hour is 02

vasek · April 12, 2020, 2:39pm

Hello,
I figured out one thing:
Logstash 7.6.0 is not able map date to @timestamp field when timestamp has 02 in hour positio.

In pipeline configuration file:

if [timestamp]  {
  date {
    match => ["timestamp", "yyyy-MM-dd HH:mm:ss,SSS",  "yyyy-MM-dd HH:mm:ss.SSS", "ISO8601" ]
    target => "@timestamp"
    remove_field => ["timestamp"]
  }
}

Grok pattern works fine. In the field timestamp is correct value, e.g.: 2020-03-29 03:35:47.392 without additional whitespaces.
I simplified parser and date mapping and found out that error _dateparsefailure occur only on lines where hour is 02.

2020-03-29 02:35:47.392 INFO [xxx] Some message

There is example of log file.

2020-03-29 15:35:47.392 INFO [xxx] Some message
2020-03-29 14:35:47.392 INFO [xxx] Some message
2020-03-29 13:35:47.392 INFO [xxx] Some message
2020-03-29 12:35:47.392 INFO [xxx] Some message
2020-03-29 11:35:47.392 INFO [xxx] Some message
2020-03-29 10:35:47.392 INFO [xxx] Some message
2020-03-29 09:35:47.392 INFO [xxx] Some message
2020-03-29 08:35:47.392 INFO [xxx] Some message
2020-03-29 07:35:47.392 INFO [xxx] Some message
2020-03-29 06:35:47.392 INFO [xxx] Some message
2020-03-29 05:35:47.392 INFO [xxx] Some message
2020-03-29 04:35:47.392 INFO [xxx] Some message
2020-03-29 03:35:47.392 INFO [xxx] Some message
2020-03-29 02:35:47.392 INFO [xxx] Some message
2020-03-29 01:35:47.392 INFO [xxx] Some message

Is it a bug or am I doing something wrong?
Vašek

Badger · April 12, 2020, 3:38pm

Did 02:35 occur? Did daylight savings time cause the time to go directly from 01:59:59 to 03:00:00 that day?

vasek · April 12, 2020, 3:58pm

Hello @Badger, mapping fails on these 4 lines:

2020-03-29 02:06:54.462 INFO  [liferay/scheduler_dispatch-4]
2020-03-29 02:07:09.545 INFO  [liferay/scheduler_dispatch-4]
2020-03-29 02:35:47.392 INFO  [default task-2]
2020-03-29 02:35:47.397 ERROR [default task-2]

Time in logs is in UTC. Our servers are in +1 UTC (Prague). But why would mapping fail?

vasek · April 12, 2020, 4:05pm

Aaa.. so it looks that problem is in daylight saving time change. Yes, the time should go to 03:00:00. So how we can achieve to correctly map this dates?

Badger · April 12, 2020, 5:12pm

When I have dealt with this in the past (when analyzing NYPD arrest records) I used a series of gsubs

mutate { gsub => [ "someField", "^2020-03-29 02:", "2020-03-29 03:" ] }

That only deals with the one hour. When your logs contain "2020-03-29 03:35:47.392" they may well mean "2020-03-29 04:35:47.392". It also ignores the problems when time goes back later in the year. Personally I only cared whether arrests were recorded in the right month, so an hour with twice as many events as it should have had, and an hour that had no events did not bother me.

vasek · April 15, 2020, 5:43am

Thank you @Badger. It helps me.

Topic		Replies	Views
Logstash -- inconsistent result with Date Logstash	7	403	May 6, 2019
_dateparsefailure mapping date and time to @timestamp field Logstash	3	340	May 26, 2021
Logstash _dateparsefailure error Logstash	6	17415	July 6, 2017
Mysterious _dateparsefailure on identical fields Logstash	7	419	August 6, 2020
Logstash date parser not parsing correctly Logstash	5	1034	July 6, 2017

Logstash - Date function - Mapping timestamp ends with error _dateparsefailure when a hour is 02

Related topics