Not able to convert the Grokked value to timestamp

Prateek_Kshtriya · January 19, 2017, 5:59am

Hi All,

I am trying to capture the time in the below message-

02 Sep 2016 06:31:03:Master: WARNING - >: OL:0-1232 GHOW: error found in waiting table:

Problem 1- The time stamp is not getting picked by "DATESTAMP" grok command so %{WORD}-%{MONTH}-%{YEAR} %{TIME} is used to pick the value. Please help how to use %{DAY} instead of %{WORD} as it leads to problem 2

Problem 2- When trying to convert to date format using
date {
match => [ "timestamp", "dd M yy HH:mm:ss" ]
}

It is giving below error while posting data using logstash -

Failed parsing date from field {:field=>"timestamp", :value=>"02 Sep 2016 1
6:52:39", :exception=>"Invalid format: "02 Sep 2016 16:52:39" is malformed at
"Sep 2016 16:52:39"", :config_parsers=>"dd M yy HH:mm:ss", :config_locale=>"de
fault=en_US", :level=>:warn}

Please help with same.

Regards,
Prateek

magnusbaeck · January 19, 2017, 7:18am

Please help how to use %{DAY} instead of %{WORD}

DAY is the name of the weekday. You should use MONTHDAY.

as it leads to problem 2

No, your use of WORD is unrelated to your second problem.

match => [ "timestamp", "dd M yy HH:mm:ss" ]

Try MMM instead of M and yyyy instead of yy.

Prateek_Kshtriya · January 19, 2017, 9:36am

Thank you. The solution resolves the issue.

Regards,
Prateek Divya

system · February 16, 2017, 9:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.