Nagios Support Forum

Posted: **Tue Aug 22, 2023 3:14 pm**

Hi,

I am seeking help to get timestamp pattern properly matched. Here is the error in the logstash log:

{:timestamp=>"2023-08-22T11:33:40.818000-0700", :message=>"Failed parsing date from field", :field=>"log_date", :value=>"Aug 22 11:33:40.107 PDT", :exception=>"Invalid format: \"Aug 22 11:33:40.107 PDT\"", :config_parsers=>"MMM dd HH:mm:ss.SSS ZZZ,MMM dd HH:mm:ss ZZZ,MMM dd HH:mm:ss.SSS,YYYY MMM dd HH:mm:ss.SSS ZZZ,YYYY MMM dd HH:mm:ss ZZZ,YYYY MMM dd HH:mm:ss.SSS,ISO8601", :config_locale=>"default=en_US", :level=>:warn}

Here is what I have in the filter date session:

date {
match => [ "syslog_timestamp", "ISO8601", "MMM d HH:mm:ss", "MMM dd HH:mm:ss", "MMM dd HH:mm:ss.SSS" ]
timezone => "-0800"
remove_field => "syslog_timestamp"
}

Posted: **Wed Aug 23, 2023 12:23 pm**

Thanks for reaching out @jniu,

The error message you posted is about the field "log_date" and the filter you posted has the match on field "syslog_timestamp".

I think the error you mentioned is because the date filter cannot parse the timezone PDT. You can see here that logstash documention links the available timezones here. I don't see PDT. You can fix this by adding a mutate just above the date filter. This is an example that worked for me.

Code: Select all

filter {
    mutate {
        gsub => [ "log_date", "PDT", "America/Los_Angeles" ]
    }
    date {
        match => [ "log_date", "MMM dd HH:mm:ss.SSS ZZZ", "MMM dd HH:mm:ss ZZZ", "MMM dd HH:mm:ss.SSS", "YYYY MMM dd HH:mm:ss.SSS ZZZ", "YYYY MMM dd HH:mm:ss ZZZ", "YYYY MMM dd HH:mm:ss.SSS", "ISO8601" ]
    }
}

Nagios Support Forum

Aruba syslog timestamp pattern

Aruba syslog timestamp pattern

Re: Aruba syslog timestamp pattern