Parsing different date formats (difficult)

bab · July 5, 2018, 5:51am

Hi all,
I have two types of timestamps coming into my logstash input from different logfiles:

[6/13/18 8:11:25:022 CEST]
2018-04-17T15:19:20.313

My grok below works for both:

if [fields][log_type] == "p8_server_error" {
  grok {
   match => [ "message", 
             "%{TIMESTAMP_ISO8601:logdate} %{DATA:thread} %{DATA:sub} [ ]* %{DATA:category} \- %{LOGLEVEL:sev} %{GREEDYDATA:message}" ]
  overwrite => [ "message" ]
  }
  mutate {
    replace => [ "type", "p8_server_error_log" ]
    }
 }
 if [fields][log_type] == "SystemOut-ICN-JVM" {
  grok {
   match => [ "message", 
             "%{DATESTAMP:logdate} %{DATA} %{DATA:thread} %{DATA:source} [ ]* %{DATA:sev} %{DATA:module} %{DATA:log-level} %{DATA} \[ \] %{DATA:java-method} %{GREEDYDATA:message}" ]
   overwrite => [ "message" ]
  }
  mutate {
    replace => [ "type", "SystemOut-ICN-JVM_log" ]
    }
 }

And here's the date Filter which I think is where it's failing:

date {
   match => [ "logdate", "yyyy-MM-dd'T'HH:mm:ss.SSS", "M/dd/yy HH:mm:ss.SSS", "ISO8601" ]
   }

The problem is that only one type this one -> (2018-04-17T15:19:20.313) makes it into the ES index. So here's the subsequent error what i get:

[2018-07-05T07:26:17,226][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"bab_4", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x39e1735b>], :response=>{"index"=>{"_index"=>"bab_4", "_type"=>"doc", "_id"=>"NCPnaGQBAzFCu_yrxMDS", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [logdate]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"6/13/18 5:29:50:575\" is malformed at \"/13/18 5:29:50:575\""}}}}}

What am I doing wrong here? can some one please help??

Badger · July 5, 2018, 12:38pm

This is really an elasticsearch issue, not a logstash issue. If you feed something like 2018-04-17T15:19:20.313 to elasticsearch it will make a note that that field (logdate) is a timestamp. It will then expect that logdate on every other document will also be in that format. elasticsearch does not recognize 6/13/18 5:29:50:575 as a timestamp. Yes, the date filter in logstash can parse it, but elasticsearch cannot.

You are using the date filter to parse it, which means @timestamp should be set correctly. At that point, do you even need a field called logdate? You could either remove_field it, or call it a different name when it is in the second format.

bab · July 5, 2018, 1:09pm

hi @Badger,
when i remove the logdate field it works but i need it becaus i need the log-file date on kibana to visualize. that's mean if i removed i didn't get any log-file date on Kibana, just @timestamp and i don't need it (@timestamp)

Badger · July 5, 2018, 2:42pm

Why not use @timestamp?

bab · July 5, 2018, 2:44pm

because @timestamp does not contain the log-event date, which I parsed in grok.

Badger · July 5, 2018, 2:51pm

Are you saying your date filter is not working?

bab · July 5, 2018, 3:12pm

my date filter does not work completely because I have two different date formats the first is parsed by pattern TIMESTAMP_ISO6801 and the second is parsed by pattern DATESTAMP.
The main problelm is while I parse both dates in the date filter then I get in ES only the first date, which with TIMESTAMP_ISO6801 parsed and the other is shown as error what I have asked above.

I want to parse both date format into an own (one) date filed and in kibana the visualization not with @timestamp but with my date field.
that mean when i will put on kibana pattern index i need there my own date field as a date filter but i get with remove_field option just the @timestamp
my date filetr:

date {
   match => [ "logdate", "yyyy-MM-dd'T'HH:mm:ss.SSS", "M/dd/yy HH:mm:ss.SSS", "ISO8601" ]
   target => "@timestamp" # this hier do nothing
    }
mutate { remove_field => ["logdate"] }

Badger · July 5, 2018, 3:32pm

Your pattern does not match your date. The separator for milliseconds is colon, not period. Try

date { match => [ "message", "yyyy-MM-dd'T'HH:mm:ss.SSS", "MM/dd/yy HH:mm:ss:SSS" ] }

If you want to include the timezone then you will have to do something like

mutate { gsub => [ "message", "CEST", "Europe/Kaliningrad" ] }
date { match => [ "message", "yyyy-MM-dd'T'HH:mm:ss.SSS", "MM/dd/yy HH:mm:ss:SSS ZZZ" ] }

Setting target => "@timestamp" does nothing because @timestamp is the default target.

bab · July 5, 2018, 5:12pm

thnak you @Badger it's work now

system · August 2, 2018, 5:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.