Hi,
I am seeking help to get timestamp pattern properly matched. Here is the error in the logstash log:
{:timestamp=>"2023-08-22T11:33:40.818000-0700", :message=>"Failed parsing date from field", :field=>"log_date", :value=>"Aug 22 11:33:40.107 PDT", :exception=>"Invalid format: \"Aug 22 11:33:40.107 PDT\"", :config_parsers=>"MMM dd HH:mm:ss.SSS ZZZ,MMM dd HH:mm:ss ZZZ,MMM dd HH:mm:ss.SSS,YYYY MMM dd HH:mm:ss.SSS ZZZ,YYYY MMM dd HH:mm:ss ZZZ,YYYY MMM dd HH:mm:ss.SSS,ISO8601", :config_locale=>"default=en_US", :level=>:warn}
Here is what I have in the filter date session:
date {
match => [ "syslog_timestamp", "ISO8601", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss.SSS" ]
timezone => "-0800"
remove_field => "syslog_timestamp"
}
Aruba syslog timestamp pattern
Re: Aruba syslog timestamp pattern
Thanks for reaching out @jniu,
The error message you posted is about the field "log_date" and the filter you posted has the match on field "syslog_timestamp".
I think the error you mentioned is because the date filter cannot parse the timezone PDT. You can see here that logstash documention links the available timezones here. I don't see PDT. You can fix this by adding a mutate just above the date filter. This is an example that worked for me.
The error message you posted is about the field "log_date" and the filter you posted has the match on field "syslog_timestamp".
I think the error you mentioned is because the date filter cannot parse the timezone PDT. You can see here that logstash documention links the available timezones here. I don't see PDT. You can fix this by adding a mutate just above the date filter. This is an example that worked for me.
Code: Select all
filter {
mutate {
gsub => [ "log_date", "PDT", "America/Los_Angeles" ]
}
date {
match => [ "log_date", "MMM dd HH:mm:ss.SSS ZZZ", "MMM dd HH:mm:ss ZZZ", "MMM dd HH:mm:ss.SSS", "YYYY MMM dd HH:mm:ss.SSS ZZZ", "YYYY MMM dd HH:mm:ss ZZZ", "YYYY MMM dd HH:mm:ss.SSS", "ISO8601" ]
}
}