"_dateparsefailure" while parsing date using date in logstash

Question

my date which is in below format

"_messagetime" => "08/08/2022 22:18:17.254 +0530"

I am using date filter in my logstash

date {
    match => ["_messagetime", "YYYY-MM-dd HH:mm:ss.SSS"]
}

but I am getting

"_dateparsefailure"

Can anyone plz suggest what might be wrong with my approach

score 2 · Accepted Answer · answered Aug 17 '22 at 15:56

2

The date filter must match the entire value of the field. It cannot just parse a prefix. Also, your date filter has YYYY-MM-dd, but your field has dd/MM/YYYY.

You can parse that field using

date { match => ["_messagetime", "dd/MM/YYYY HH:mm:ss.SSS Z"] }

to get "@timestamp" => 2022-08-08T16:48:17.254Z. Note the trailing Z in the value of [@timestamp] -- all timestamps in logstash are stored in Zulu / UTC timezone.

answered Aug 17 '22 at 15:56

Badger

3,943
2
6
17

Works fine after adding Z, which was missing here. Thanks – rohit saraf Aug 18 '22 at 07:57

YLR · Answer 2 · 2022-08-17T10:20:18.703

0

your error it's caused by the " +0530" string in the _messagetime field content.

To fix this, one option is :

Remove this string before the date plugin, you can do this with use of grok or dissect

For example :

filter {
  grok {
    match => { "_messagetime" => "%{DATESTAMP:newdate}%{DATA:trash}" }
  }
}

Apply the same date plugin conf wich must work on new content now without " +0530" occurence

edited Aug 17 '22 at 10:20

answered Aug 17 '22 at 10:13

YLR

1,503
4
21
28

"_dateparsefailure" while parsing date using date in logstash

2 Answers2