elasticsearch is creating indexes with a future date. @timestamp is not matching the actual event time from the router syslog . The actual event time is Nov 30 2018. Could anyone tell me why the index and @timestamp is not 2018 ?
"Nov 30 10:40:16 system-aaaaaa 172: *Nov 30 01:49:00.001: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:router bgp 65008"
"filebeat-6.2.4-2019.11.30"
content of one of the documents
{
"_index": "filebeat-6.2.4-2019.11.30",
"_type": "doc",
"_id": "_sZBJ2gBAn3SQNgAVupJ",
"_score": 1,
"_source": {
"offset": 56292,
"beat": {
"hostname": "xxx-xxxx-02",
"version": "6.2.4",
"name": "xxx-xxxx-02"
},
"@timestamp": "2019-11-30T02:40:16.000Z",
"tags": [
"beats_input_codec_plain_applied"
],
"prospector": {
"type": "log"
},
"source": "/var/log/HOSTS/system-aaaaaa.log-20190106",
"system": {
"syslog": {
"hostname": "system-aaaaaa",
"message": "*Nov 30 01:49:00.001: %PARSER-5-CFGLOG_LOGGEDCMD: User:admin logged command:router bgp 65008 ",
"program": "172",
"timestamp": "Nov 30 10:40:16"
}
},
"host": "xxx-xxxx-02",
"@version": "1",
"fileset": {
"module": "system",
"name": "syslog"
}
}
this is my logstash configuration.
input {@metadata ][beat]}-%{[@metadata ][version]}-%{+YYYY.MM.dd}"@metadata ][type]}"
warkolm
January 7, 2019, 8:03am
2
Because Logstash assumes that the missing year in the timestamp is this year.
Not sure how to resolve that though sorry.
If you assume the date can not be in the future, you may able to do something like this:
input {
generator {
lines => ['Jan 01 01:49:00.001',
'Nov 30 01:49:00.001']
count => 1
}
}
filter {
date {
match => [ "message", "MMM d HH:mm:ss.SSS", "MMM dd HH:mm:ss.SSS" ]
target=> "[@metadata][tmpdate]"
}
if [@metadata][tmpdate] > [@timestamp] {
mutate {
add_field => { "[@metadata][fulltmpdate]" => "2018 %{[message}"}
}
date {
match => [ "[@metadata][fulltmpdate]", "yyyy MMM d HH:mm:ss.SSS", "yyyy MMM dd HH:mm:ss.SSS" ]
}
} else {
date {
match => [ "message", "MMM d HH:mm:ss.SSS", "MMM dd HH:mm:ss.SSS" ]
}
}
}
output {
stdout { codec => rubydebug { metadata => true} }
}
Adapt the fields to fit your data structure.
1 Like
but according to the change log, as of version 2.1.0 the year rollover is handled internally. i should not be seeing this behaviour. can you clarify ?
/usr/share/logstash/bin/logstash-plugin list --verbose |grep input
logstash-filter-date (3.1.9)
## 3.1.9
- Update gemspec summary
## 3.1.8
- Fix some documentation issues
## 3.1.6
- Fix #97 With "ISO8601" format and timezone interpolation, Joda complains at plugin startup
- Fix skipped DST test, caused by incorrect year guess logic, see comment in test spec/filters/date_spec.rb:540
## 3.1.5
- Ignore cancelled events
## 3.1.4
- Add metrics to track matches and failures
## 3.1.3
- Fix bug where numbers from a JSON codec would result in a date parse failure. (#86, #89)
## 3.1.2
show original
warkolm
January 9, 2019, 3:46am
5
It might be a regression then, can you raise an issue under the plugin so we can dig into it?
made the changes to the logstash configurations per recommendation from Christian. I will monitor it for sometime. thanks
The change you pointed to only seems to handle the rollover between December and January. As your data belongs to November and comes over a month late, it is not caught by this fix.
Christian, are you talking about how logstash handles the rollover ?
i am monitoring the data after apply the recommendations to the logstash configuration . seems to be working fine. i can see all date from 2018 with the correct timestamp now.
what happens when we roll over to 2020 ? are we going to face a similar problem ?
If data does not arrive delayed more than a month I suspect the fix you linked to will handle it.
system
February 6, 2019, 8:23am
10
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.