Problem with date filter

Thuunder7 · May 9, 2022, 2:07pm

Hello,
I have been trying to use the date filter plugin but without success. I am trying to parse a field and target it into @timestamp field.

My message field contains a date string like the following:

2022-05-09 09:19:07,900 [xJQsL/r76U:396] DEBUG

I am creating two new fields: modb.date and modb.ms. The field mobd.date and modb.ms are corretly parsed , and respectively get the values 2022-05-09 09:19:07 and 900. Then i concatenate both to create a new field called modb.time with the format 2022-05-09 09:19:07.900.

The problem happens when i try to use the date filter on this modb.time field. When the documents get indexed i can see on the field tags, "_dateparsefailure". I have tried to parse with multiple formats but without success.

I can only parse the modb.time value when i remove the miliseconds (.SSS) in the parsing format.

filter {
    dissect {
        mapping => { "message" => "%{[modb][date]},%{[modb][ms]}[" }
    }

    mutate {
        add_field => { "[modb][time]" => "%{[modb][date]}.%{[modb][ms]}" }
    }

    date {
        #match => [ "timestamp", "MM/d/yyyy h:mm:ss a" ]
        match => [ "[modb][time]", "yyyy-MM-dd hh:mm:ss.SSS" ]
        target => ["@timestamp"]
    }
}

Do you have any ideias why is this happening?
Regards

aaron-nimocks · May 9, 2022, 2:25pm

2022-05-09 09:19:07,900 [xJQsL/r76U:396] DEBUG

There is a space after the ms in timestamp and the [ that isn't account for in the Grok pattern.

Try this. %{[modb][date]},%{[modb][ms]} [

Thuunder7 · May 9, 2022, 2:49pm

Nice finding It was resolved with your solution.
Thank you!

Thuunder7 · May 10, 2022, 3:20pm

Seems like i am having issues again with the date filter. Yesterday was working fine, but today is not working anymore...

Field to be parsed by date filter: 2022-05-10 15:11:28.209

Filter used:

date {
        match => [ "[modb][time]", "yyyy-MM-dd hh:mm:ss.SSS" ]
        target => ["@timestamp"]
    }

I didn't touch the date filter since it was working.
Do you see anything that i am not seeing?

Regards

aaron-nimocks · May 10, 2022, 4:00pm

Try big H's for the hour. Documentation.

match => [ "[modb][time]", "yyyy-MM-dd HH:mm:ss.SSS" ]

Thuunder7 · May 13, 2022, 8:29am

Thanks Aaron, it is working. I was confused since with the previous pattern worked and suddenly stopped.

system · June 10, 2022, 8:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
There is no dateparsefailure in the tag,but it does not work Logstash	10	555	June 6, 2018
Dateparsefailure error logstash Logstash	1	196	June 30, 2021
Date FIlter - _dateparsefailure [SOLVED] Logstash	21	21575	November 4, 2022
Date filter plugin issue Logstash	13	387	August 1, 2018
Date filter in logstash.conf not parsing the date while grok parses it by timestamp_iso8601 Logstash	21	27371	July 6, 2017

Problem with date filter

Related Topics