Hello All,
I am having filebeat send data through logstash and I have been unable to get the @timestamp to match the event time. I get a _dateparsefailure tag in Kibana. Everything else is ingesting as intended. I have tried everything I can think of to get it to work. I've read through the discussion posts on this, the documentation, and I am still stumped.
Here is a filter block with the timestamp info. I have other grok written after this and some mutates but they are not related to the timestamp.
filter {
if "MMM" in[tags] {
grok {
match => {
"message" => [
"^(?m)\{\"Timestamp\":\"%{TIMESTAMP_ISO8601:tstamp}\"\,%{GREEDYDATA:json_data}"
]
}
}
date {
match => [ "tstamp", "yyyy-MM-dd HH:mm:ssss", "ISO8601" ]
}
Then there are more groks that all seem to be working perfectly. We are using the json filter to parse the data.
Here are a few sample log lines.
{"Timestamp":"2023-10-02 08:00:04.3445", "Message":"Assembly Version 1.0.0.1","Caller":{"Class":"Session","Method":"LogNewSession"},"MMM":{"ID":"200","Supposition Number":"0","Application Name":"MMMSandCastle"}}
{"Timestamp":"2023-10-02 08:00:04.3455", "Message":"MMM ID: 200, Location: JanuaryFirstTest, Mode: SCTEST","Caller":{"Class":"Session","Method":"LogNewSession"},"MMM":{"ID":"200","Supposition Number":"0","Application Name":"MMMSandCastle"}}
{"Timestamp":"2023-10-02 08:00:04.3505", "Message":"Clear InSession Flag","Caller":{"Class":"<>c","Method":"<ClearInSession>b__55_0"},"MMM":{"ID":"200","Supposition Number":"0","Application Name":"MMMSandCastle"}}
{"Timestamp":"2023-10-02 08:00:04.3594", "Message":"Filling out accessible options for form Welcome, castle type VR","Caller":{"Class":"FormController","Method":"SetupAccessibilityControls"},"MMM":{"ID":"200","Supposition Number":"0","Application Name":"MMMSandCastle"}}
{"Timestamp":"2023-10-02 08:00:04.3743", "Message":"Error Retrieving ConfigSettings for Key: Sand_Threshold","Caller":{"Class":"ConfigSettings","Method":"GetValue"},"MMM":{"ID":"200","Supposition Number":"0","Application Name":"MMMSandCastle"}}