Stumped on TIMESTAMP_ISO8601 in grok

Ron_Pritchett · August 10, 2016, 5:53pm

Hello,

I'm not sure why this is throwing an error.

the input file:
<133>2016-08-10T16:33:39.827713+00:00 localhost opt-log-nginx-access

the configfile:
input {
stdin { type => syslog }
}

filter {
  if [type] == "syslog" {
    grok {
      match => [ "message", "%{SYSLOG5424PRI:priority}%{TIMESTAMP_ISO8601:timestamp} %{IPORHOST:myhost}" ]
    }
    date { match => [ "timestamp", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss Z", "MMM d HH:mm:ss", "dd/MMM/yyyy:HH:mm:ss Z", "TIMESTAMP_ISO8601" ] }
    mutate {
        add_field => { "imjava" => "imhere" }
        add_tag => "imatag"
    }
  }
}

output {
  stdout { codec => rubydebug }
  file { path => "/tmp/blah.txt" }
}

grok pattern per grok debug
TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?

grok debug says I'm good, but I get this error msg:

Settings: Default pipeline workers: 1
Pipeline aborted due to error {:exception=>#<LogStash::ConfigurationError: Cannot register filter date plugin. The error reported is:
  Illegal pattern component: T for pattern 'TIMESTAMP_ISO8601'>, :backtrace=>["/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-date-2.1.6/lib/logstash/filters/date.rb:297:in `setupMatcher'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-date-2.1.6/lib/logstash/filters/date.rb:224:in `setupMatcher'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-filter-date-2.1.6/lib/logstash/filters/date.rb:189:in `register'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:182:in `start_workers'", "org/jruby/RubyArray.java:1613:in `each'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:182:in `start_workers'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/pipeline.rb:136:in `run'", "/opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-2.3.4-java/lib/logstash/agent.rb:473:in `start_pipeline'"], :level=>:error}
stopping pipeline {:id=>"main"}

important part being:
The error reported is: Illegal pattern component: T for pattern 'TIMESTAMP_ISO8601'

any ideas?

thanks!

magnusbaeck · August 11, 2016, 5:49am

It's not grok that's complaining, it's date. TIMESTAMP_ISO8601 is a grok pattern, not a date pattern. Try ISO8601 instead.

Ron_Pritchett · August 12, 2016, 3:17pm

Many thanks for that reply!

So, in my mind it'd seems only logical that date would also have the same patterns as grok from the standard library. At least those related to time & date. Would it be worth while for me to file an enhancement request on github for this?

thanks again!

magnusbaeck · August 12, 2016, 4:17pm

It's not up to me, but I can see a number of problems with supporting grok patterns in the date filter. Not so much because it's technically hard but because creating a reasonable user interface without too many corner cases and contradictions could be challenging and in the end not really lead to an improvement. The Logstash team might see things differently, so filing an issue might not be in vain.

Topic		Replies	Views
Trouble matching timestamp Logstash	5	3748	May 26, 2017
Grok filter TIMESTAMP_ISO8601 Logstash not working Logstash	3	2641	May 8, 2019
TIMESTAMP_ISO8601 in date not working Logstash	2	2286	July 19, 2018
Python log Logstash grok filter Logstash	4	3516	March 22, 2018
Converting date to ISO8601 Logstash	11	13902	July 6, 2017

Stumped on TIMESTAMP_ISO8601 in grok

Related topics