Match timestamps using different locales

friesoft · March 2, 2018, 9:51am

Hi,

we have some logfiles which contain three different timestamp formats.
Example:

[02/Mar/2018:09:35:21] [Info] [Module] [3085] [Function] my message
[Fri Mar 02 09:35:21.474812 2018] [Module] [pid 1819:tid 140437688055616] errorcode: caught SIGTERM, shutting down
[02/Mär/2018:09:35:25] [Info] [Module] [19154] [Function: message]

The timestamp is always contained in the field "timestamp", extracted using a grok pattern.

I've tried the following:

     date {
         match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss" ] # 02/Mar/2018:09:35:21
         locale => [ "en-US" ]
     }
     date {
         match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss" ] # 02/Mär/2018:09:35:25
         locale => [ "de-DE" ]
     }
     date {
         match => [ "timestamp", "EEE MMM dd HH:mm:ss.SSSSSS yyyy" ] # Fri Mar 02 09:35:30.052734 2018
     }

The problem is: I get dateparsefailure on all three lines. How to get rid of those? The timestamps themselves are correctly parsed.

What would be the correct way to handle such special logfiles?..

Thanks
Bernhard

magnusbaeck · March 2, 2018, 12:45pm

You can clear the date filter's tag_on_failure option to avoid the _dateparsefailure tag. If you want to keep that tag if none of the filters matched that's possible but will require a bunch of conditionals and probably a few mutate filters.

friesoft · March 2, 2018, 2:44pm

Thanks for the info! didn't grasp that tag_on_failure was the right thing for me
Works for me now.

I just noticed one of the patterns is still wrong - the time contains microseconds - which it looks like can't be parsed using logstash/jodatime.
What can I do to match the rest of the date/time?

Fri Mar 02 10:03:03.048488 2018

     date {
         match => [ "timestamp", "EEE MMM dd HH:mm:ss.SSS**SSS** yyyy" ]
         tag_on_failure => [ ]
     }

Thanks for the fast reply

magnusbaeck · March 2, 2018, 3:20pm

You might have to use a mutate filter's gsub option to remove the microseconds. The date filter doesn't keep more than millisecond precision anyway.

system · March 30, 2018, 3:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
__dateparsefailure trying match date Logstash	2	422	October 14, 2017
Parse different datetime values into timestamp Logstash	4	604	April 14, 2017
Get the correct timestamp from the log file Logstash	6	3070	July 6, 2017
_dateparsefailure when trying to overwrite @timestamp Logstash	8	149	June 7, 2024
Completly lost with how to parse date Logstash	2	286	August 5, 2019

Match timestamps using different locales

Related topics