Parsing timestamp using date format in logstash

1
votes

I'm working on parsing the timestamp from couchdb log. The entire timestamp is getting processed correctly when seen in stdout, however _grokparsefailure is observed when viewing with Kibana on top of elasticsearch.

Ex logline : 

[Thu, 31 Jul 2014 17:14:28 GMT] [info] [<0.23047.647>] 10.30.50.48 - - HEAD /z_775-797_api_docs 200

i've followed these links in parsing the date format : http://logstash.net/docs/1.4.2/filters/date , http://joda-time.sourceforge.net/apidocs/org/joda/time/format/DateTimeFormat.html

my parse code is : 

grok{
      match => { "message" => "%{SYSLOG5424SD:Log_Time} \[info] %{SYSLOG5424SD:response_time} %{IPV4:ip_address} - - %{WORD:http_method} %{URIPATH} %{INT:file_value}" }
}

date{
match => ["Log_Time","[EEE, dd MMM YYYY HH:mm:ss zzz]"]
}

My output code is :

output {
  elasticsearch { host => localhost }
  stdout { codec => json }
}

where Log_Time = [Thu, 31 Jul 2014 17:14:28 GMT] and the output timestamp is "@timestamp":"2014-07-31T17:14:28.000Z"

The data displayed under stdout is "@timestamp":"2014-07-31T17:14:28.000Z" without any grok parse error but in Kibana the time of parsing is coming as timestamp and the _grokparseerror tag is present. I couldn't understand why there is this difference between standard out and Kibana. I tried deleting all elasticsearch indexes and the .sincedb files but still the errors remain.

Please help if you have any ideas

1
loggingelasticsearchjodatimelogstashgrok
Did you try the grok debugger on heroku? - Engineer2021
@ staticx, yes i tried it but it was not able to parse, hence i used my own parser. After parsing though the timestamp is getting displayed properly in stdout but it gives parse failure when i set the output to elasticsearch in localhost - pjesudhas
In your date block, you need say remove_field => timestamp. - Engineer2021
Also, if grok debugger can't parse it, then you aren't going to get past the grok parse failures. - Engineer2021
@ staticx, the grok debugger at : grokdebug.herokuapp.com is able to parse it effectively, and the results are displayed properly in stout but gives a parse failure when viewed with Kibana - pjesudhas

1 Answers

1
votes

Kibana is only a viewer! The grok parse failure is not related to Kibana. The probably problem you have meet is some of your logs is not in format and cause parsing failure. Then, the timestamp value will be the log event current time.

Please check your logs whether all of them are in format! Or, you can try use the kibana date picker to pick logs time you want to view, say: 2014-07-31. Otherwise the default datepicker in kibana will pick the last 24 hours logs.

Updated: In your comment you have ask "how to detect failures in logstash"

When your grok filter parses failure, logstash will add a tag with value _grokparsefailure. Then, you can use if condition to do failure handling. 

if "_grokparsefailure" in [tags] {
  # Failure handle
}