Logstash fail to parse dates when sending to elastic but not on rybydebug

Elastic Stack Logstash
1

Hi,
I get messages tagged with "dateparsefailure" only when sending messages to elastic but not on rubydebug

this is my typical message:
####<Jan 27, 2017 12:14:30 AM CET> <02srv006y6.ad02.eni.intranet> <weblogic.GCMonitor> <> <> <29d1948389fc1539:5ed6b398:159d6d2c9ad:-8000-00000000000000bc> <1485472470999> <38% of the total memory in the server is free>

and this is my filter:

if [type] == "weblogic-log" {
    grok {
      patterns_dir => ["/etc/logstash/conf.d/weblogic_patterns" ]
      match => { "message" => "%{WLS_SRV_LOG}" }
    }

    #
    # Sostituisco la timezxone di weblogic con l'equivalente numerico
    # e uso wsl_timestamp come timestamp del messaggio
    #
    mutate  {
      gsub => ["wls_timestamp", "CET", "+0100"]
    }
    #mutate  {
    #  gsub => ["wls_timestamp", "CEST", "+0200"]
    #}
    date {
      match => [ "wls_timestamp", "MMM dd, yyyy HH:mm:ss aa Z" ]
    }

    # extract domain name and managed name
    grok {
      match => [ "source","weblogic-logs\/%{DATA:domain_name}\/servers\/%{DATA:managed_name}\/" ]
    }

    #
    # implement stuck thread alerting for production env
    #
    # check if thread is stuck (by BEA-000337 code)
    if "BEA-000337" in [message]  {
      mutate {
        add_tag => ["stuck_thread"]
      }
    }
    # check if thread is unstuck (by BEA-000339 code)
    if "BEA-000339" in [message] {
      mutate {
        add_tag => ["unstuck_thread"]
      }
    }
    if "stuck_thread" in [tags]{
      mutate {
        replace => ["thread_status", "STUCK" ]
      }
    }
    if "unstuck_thread" in [tags]{
      mutate {
        replace => ["thread_status", "UNSTUCK" ]
      }
    }

    mutate {
      # cosmetic unification
      uppercase => [ "severity" ]
    }

This is Ryby Output:
{
"severity" => "INFO",
"wls_topic" => "Health",
"server" => "wlsdommiw-01",
"hostname" => "02srv006y6.ad02.eni.intranet",
"@timestamp" => 2017-01-27T11:14:30.000Z,
"wls_timestamp" => "Jan 27, 2017 12:14:30 AM +0100",
"@version" => "1",
"host" => "02srv009oa.ad02.eni.intranet",
"logmessage" => "<weblogic.GCMonitor> <> <> <29d1948389fc1539:5ed6b398:159d6d2c9ad:-8000-00000000000000bc> <1485472470999> <38% of the total memory in the server is free> ",
"message" => "####<Jan 27, 2017 12:14:30 AM CET> <02srv006y6.ad02.eni.intranet> <weblogic.GCMonitor> <> <> <29d1948389fc1539:5ed6b398:159d6d2c9ad:-8000-00000000000000bc> <1485472470999> <38% of the total memory in the server is free> "
}

Any Ideas?
Regards
Luca

2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.