Problem with date filter

Thuunder7 · May 9, 2022, 2:07pm

Hello,
I have been trying to use the date filter plugin but without success. I am trying to parse a field and target it into @timestamp field.

My message field contains a date string like the following:

2022-05-09 09:19:07,900 [xJQsL/r76U:396] DEBUG

I am creating two new fields: modb.date and modb.ms. The field mobd.date and modb.ms are corretly parsed , and respectively get the values 2022-05-09 09:19:07 and 900. Then i concatenate both to create a new field called modb.time with the format 2022-05-09 09:19:07.900.

The problem happens when i try to use the date filter on this modb.time field. When the documents get indexed i can see on the field tags, "_dateparsefailure". I have tried to parse with multiple formats but without success.

I can only parse the modb.time value when i remove the miliseconds (.SSS) in the parsing format.

filter {
    dissect {
        mapping => { "message" => "%{[modb][date]},%{[modb][ms]}[" }
    }

    mutate {
        add_field => { "[modb][time]" => "%{[modb][date]}.%{[modb][ms]}" }
    }

    date {
        #match => [ "timestamp", "MM/d/yyyy h:mm:ss a" ]
        match => [ "[modb][time]", "yyyy-MM-dd hh:mm:ss.SSS" ]
        target => ["@timestamp"]
    }
}

Do you have any ideias why is this happening?
Regards

aaron-nimocks · May 9, 2022, 2:25pm

2022-05-09 09:19:07,900 [xJQsL/r76U:396] DEBUG

There is a space after the ms in timestamp and the [ that isn't account for in the Grok pattern.

Try this. %{[modb][date]},%{[modb][ms]} [

Thuunder7 · May 9, 2022, 2:49pm

Nice finding It was resolved with your solution.
Thank you!

Thuunder7 · May 10, 2022, 3:20pm

Seems like i am having issues again with the date filter. Yesterday was working fine, but today is not working anymore...

Field to be parsed by date filter: 2022-05-10 15:11:28.209

Filter used:

date {
        match => [ "[modb][time]", "yyyy-MM-dd hh:mm:ss.SSS" ]
        target => ["@timestamp"]
    }

I didn't touch the date filter since it was working.
Do you see anything that i am not seeing?

Regards

aaron-nimocks · May 10, 2022, 4:00pm

Try big H's for the hour. Documentation.

match => [ "[modb][time]", "yyyy-MM-dd HH:mm:ss.SSS" ]

Thuunder7 · May 13, 2022, 8:29am

Thanks Aaron, it is working. I was confused since with the previous pattern worked and suddenly stopped.

system · June 10, 2022, 8:29am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date filter issues Logstash	3	485	July 6, 2017
There is no dateparsefailure in the tag,but it does not work Logstash	10	555	June 6, 2018
Dateparsefailure error logstash Logstash	1	196	June 30, 2021
Logstash Parse Date Issue Logstash	2	656	July 6, 2017
Date FIlter - _dateparsefailure [SOLVED] Logstash	21	21603	November 4, 2022

Problem with date filter

Related topics