Logstash: _dateparsefailure

Elastic Stack Logstash
1

Hello,
I'm unsuccessfully struggling with _dateparsefailure issue. While debugging everything works fine, but in Elastic every document comes with _dateparsefailure tag. Here is piece of conf:

  .....
    ruby {
  code => "
  event.set( 'index_date', event.timestamp.time.localtime.strftime('%Y.%m.%d') )
  "
  }

    mutate {
  add_field => {
  "timestamp" => "%{month} %{monthday} %{time}"
  }
  }

    if "_grokparsefailure" in [tags] {
      drop {}
  }
    date {
  match => [ "timestamp", "MMM dd HH:mm:ss" ]
  locale => "en"
  timezone => "Europe/Moscow"
  target => "@timestamp"
  }
    mutate {
  remove_field => [
  "time", "month", "monthday",
  "timestamp", "host", "@version", "tz"
  ]
  .....

here is data:

Jan 12 10:16:22 servername postfix/smtp[49832]: 5E4BF161B07: to=client@email.com, relay=mxs.relay.com[92.110.182.102]:25, delay=2.6, delays=0.09/0/0.02/2.4, dsn=2.0.0, status=sent (250 OK id=1eZtZc-0037DW-IL), (250 OK id=1eZtZc-0037DW-IL)

2

Remove the mutate filter and show an example document produced by Logstash. Copy/paste from Kibana's JSON tab or use a stdout { codec => rubydebug } output.

3 
The stdin plugin is now waiting for input:
Jan 16 14:34:50 mx01 postfix/smtp[11449]: 8E48518009F: to=<email@address>, relay=mx.address.net[17.123.2.12]:25, delay=15, delays=0.86/0/1.4/13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued on mx.address.mail.net as 1516102490-Mi14m3hIr0-YbxWl07n), (250 2.0.0 Ok: queued on mx.address.mail.net as 1516102490-Mi14m3hIr0-YbxWl07n)
{
        "monthday" => "16",
          "server" => "mx01",
        "queue-id" => "8E48518009F",
         "send-to" => "email@address",
      "relay-port" => "25",
         "program" => "postfix/smtp[11449]",
         "message" => [
        [0] "Jan 16 14:34:50 mx01.hw00.sel.pet.lan postfix/smtp[11449]: 8E48518009F: to=<email@address>, relay=mx.address.net[17.123.2.12]:25, delay=15, delays=0.86/0/1.4/13, dsn=2.0.0, status=sent (250 2.0.0 Ok: queued on mx.address.mail.net as 1516102490-Mi14m3hIr0-YbxWl07n), (250 2.0.0 Ok: queued on mx.address.mail.net as 1516102490-Mi14m3hIr0-YbxWl07n)",
        [1] "(250 2.0.0 Ok: queued on mx.address.mail.net as 1516102490-Mi14m3hIr0-YbxWl07n), (250 2.0.0 Ok: queued on mx.address.mail.net as 1516102490-Mi14m3hIr0-YbxWl07n)"
    ],
      "@timestamp" => 2018-01-16T13:14:57.661Z,
           "delay" => "15",
           "month" => "Jan",
        "relay-ip" => "17.123.2.12",
          "delays" => "0.86/0/1.4/13",
        "@version" => "1",
    "relay-domain" => "mx.address.net",
      "index_date" => "2018.01.16",
            "time" => "14:34:50",
             "dsn" => "2.0.0",
          "status" => "sent"
}
4

Where's the timestamp field that you're asking the date filter to parse?

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.