"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

    filebeat.autodiscover:
      providers:
        - type: kubernetes
          hints.enabled: true
          json.message_key: message
          json.timestamp.key: timestamp
          json.keys_under_root: true
          json.overwrite_keys: true
          fields_under_root: true
          hints.default_config:
            type: container
            paths:
              - /var/log/oauth-apiserver/*.log
              - /var/log/kube-apiserver/*.log
              - /var/log/openshift-apiserver/*.log
              - /var/log/oauth-server/*.log
              - /var/log/audit/*.log
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/*/"

I keep running into this parsing error on openshift.

image: docker.elastic.co/beats/filebeat:8.8.2

{"log.level":"error","@timestamp":"2023-07-21T02:59:37.753Z","log.logger":"reader_docker_json","log.origin":{"file.name":"readjson/docker_json.go","file.line":231},"message":"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2023-07-21T02:59:37.753Z","log.logger":"reader_docker_json","log.origin":{"file.name":"readjson/docker_json.go","file.line":231},"message":"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2023-07-21T02:59:37.753Z","log.logger":"reader_docker_json","log.origin":{"file.name":"readjson/docker_json.go","file.line":231},"message":"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

Any help or pointers will be appreciated.

Hello,

It seems like you have some difference between the timestamp formats between your stuff and filebeat cannot magically understand the format. Maybe you need to set some layouts and teach your processors to what kind of format to expect.

Regards.

I have encountered with the same issue. Previously I was using filebeat version 6.0.1 and it was working fine, now I upgrade filebeat version to 8.9 and did the necessary changes in the filebeat.yaml and facing above issues.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.