There is no dateparsefailure in the tag,but it does not work

antony.y · May 8, 2018, 2:45am

i have a field named "time",the format is just like "2018/05/02:08:22:23" , so i used a date filter, and the format is like following:

date {
match => ["time","yyyy/MM/dd:HH:mm:ss"]
targer =>"@timestamp"
}

there is no any _dateparsefailure in tags,but the timestamp didn't change,where is the problem

antony.y · May 8, 2018, 3:08am

i have viewed the previous topic , but i didn't find the solution,i'll appreciate it if anyone who can help me~:grinning:

magnusbaeck · May 8, 2018, 6:05am

Please show an example event produced by Logstash. Use a stdout { codec => rubydebug } output.

antony.y · May 8, 2018, 7:55am

The output is as follows:

{
"inter_id" => "134"
"module" => "0-PPE-1"
"messag" => "<134> 2018/05/08:02:06:05 GMT PH180I1-NC80LC02 0-PPE-1 : default tcp nat_conn_delink"
"type" =>"logs"
"tags" =>[
[0] "LC"
],
"hostname" =>"PH180I1-NC80LC02 "
"@timestamp"=>2018-05-07T18:06:05.000z,
"time" => "2018/05/05:02:06:05"
"info" => " default tcp nat_conn_delink""
}

magnusbaeck · May 8, 2018, 7:57am

Okay. And what does the complete configuration look like? Does the date filter come after the grok filter or whatever you're using the parse the message field?

antony.y · May 8, 2018, 8:05am

of course ,the date filter is after grok, the full configuration of the filter is like:

filter {
grok {
patterns_dir => ["/etc/logstash/patterns"]
match=>["message","INT:inter_id%{time:time} GMT %{HOSTNAME:hostname}%{URIHOST:module} :default %{event:event} %{INT:int1}:%{GREEDYDATE:info}"]
}
date {
match => ["time","yyyy/MM/dd:HH:mm:ss"]
target =>"@timestamp"
}
}

magnusbaeck · May 8, 2018, 8:38am

Um, wait. What's the timezone on the machine where you're running Logstash? UTC+8, by any chance? It looks like the date filter is working fine. Perhaps you need to set the date filter's timezone option (or have it parse the GMT string in the timestamp) to override the timezone used when parsing the timestamp.

antony.y · May 8, 2018, 9:00am

the timezone here is GMT+8,I will try to parse the GMT in the time field and try again

antony.y · May 9, 2018, 2:41am

I have tried both using timezone option and put GMT in the "time" field,still the same.

antony.y · May 9, 2018, 2:59am

it does work,i used timezone option,thanks~

system · June 6, 2018, 3:00am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date FIlter - _dateparsefailure [SOLVED] Logstash	21	21602	November 4, 2022
_dateparsefailure again Logstash	3	1148	June 27, 2017
_dateparsefailure While parsing string Logstash	3	754	February 22, 2017
Date Filter Doesn't Work Logstash	6	923	November 2, 2018
Dateparsefailure error logstash Logstash	1	196	June 30, 2021

There is no dateparsefailure in the tag,but it does not work

Related topics