"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

dell2 · July 21, 2023, 3:06am

    filebeat.autodiscover:
      providers:
        - type: kubernetes
          hints.enabled: true
          json.message_key: message
          json.timestamp.key: timestamp
          json.keys_under_root: true
          json.overwrite_keys: true
          fields_under_root: true
          hints.default_config:
            type: container
            paths:
              - /var/log/oauth-apiserver/*.log
              - /var/log/kube-apiserver/*.log
              - /var/log/openshift-apiserver/*.log
              - /var/log/oauth-server/*.log
              - /var/log/audit/*.log
      processors:
        - add_kubernetes_metadata:
            host: ${NODE_NAME}
            matchers:
            - logs_path:
                logs_path: "/var/log/*/"

I keep running into this parsing error on openshift.

image: docker.elastic.co/beats/filebeat:8.8.2

{"log.level":"error","@timestamp":"2023-07-21T02:59:37.753Z","log.logger":"reader_docker_json","log.origin":{"file.name":"readjson/docker_json.go","file.line":231},"message":"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2023-07-21T02:59:37.753Z","log.logger":"reader_docker_json","log.origin":{"file.name":"readjson/docker_json.go","file.line":231},"message":"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

{"log.level":"error","@timestamp":"2023-07-21T02:59:37.753Z","log.logger":"reader_docker_json","log.origin":{"file.name":"readjson/docker_json.go","file.line":231},"message":"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

Any help or pointers will be appreciated.

coezdemir · July 21, 2023, 6:50am

Hello,

It seems like you have some difference between the timestamp formats between your stuff and filebeat cannot magically understand the format. Maybe you need to set some layouts and teach your processors to what kind of format to expect.

Regards.

Suvom_Das · August 10, 2023, 5:09pm

I have encountered with the same issue. Previously I was using filebeat version 6.0.1 and it was working fine, now I upgrade filebeat version to 8.9 and did the necessary changes in the filebeat.yaml and facing above issues.

system · September 7, 2023, 7:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse line error: parsing CRI timestamp with filebeat 7.9.3 Beats filebeat	1	1026	June 29, 2021
Error parsing CRI timestamp Beats filebeat	2	1663	March 15, 2019
Error logging container json files with filebeat Beats docker , filebeat	1	456	December 31, 2021
Error parsing timestamp Logstash	2	1295	July 12, 2021
Filebeat cannot parse a custom @timestamp string Beats docker , filebeat	2	1568	November 20, 2020

"Parse line error: parsing docker timestamp: parsing time \"\" as \"2006-01-02T15:04:05Z07:00\": cannot parse \"\" as \"2006\"","service.name":"filebeat","ecs.version":"1.6.0"}

Related topics