"08/08/2022 22:18:17.254 +0530" I am using date filter in my logstash date { match => ["_messagetim" /> "08/08/2022 22:18:17.254 +0530" I am using date filter in my logstash date { match => ["_messagetim" /> "08/08/2022 22:18:17.254 +0530" I am using date filter in my logstash date { match => ["_messagetim"/>
DEVHIDE
Login Or Sign up

"_dateparsefailure" while parsing date using date in logstash

87 Views Asked by At

my date which is in below format

"_messagetime" => "08/08/2022 22:18:17.254 +0530"

I am using date filter in my logstash

date {
    match => ["_messagetime", "YYYY-MM-dd HH:mm:ss.SSS"]
}

but I am getting

"_dateparsefailure"

Can anyone plz suggest what might be wrong with my approach

logstash elk logstash-filter
Original Q&A
2

There are 2 best solutions below

1
Badger On BEST ANSWER

The date filter must match the entire value of the field. It cannot just parse a prefix. Also, your date filter has YYYY-MM-dd, but your field has dd/MM/YYYY.

You can parse that field using

date { match => ["_messagetime", "dd/MM/YYYY HH:mm:ss.SSS Z"] }

to get "@timestamp" => 2022-08-08T16:48:17.254Z. Note the trailing Z in the value of [@timestamp] -- all timestamps in logstash are stored in Zulu / UTC timezone.

0
YLR On

your error it's caused by the " +0530" string in the _messagetime field content.

To fix this, one option is :

  • Remove this string before the date plugin, you can do this with use of grok or dissect

For example :

filter {
  grok {
    match => { "_messagetime" => "%{DATESTAMP:newdate}%{DATA:trash}" }
  }
}
  • Apply the same date plugin conf wich must work on new content now without " +0530" occurence

Related Questions in LOGSTASH

Related Questions in ELK

Related Questions in LOGSTASH-FILTER

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs

Popular Questions

.

Copyright © 2021 Jogjafile Inc.