For rule 'parse event timestamp': In call to function 'parse_date' at 5:19 an exception was thrown: Invalid format: ""

I want to pipeline my log timestamp with graylog but i got Invalid format error
grok my timestamp into Timestamp_tweet
sample:- Fri Dec 21 19:09:36 +0000 2018
rule “parse event timestamp”
when
true
then
let new_date = parse_date(to_string($message.Timestamp_tweet), “EEE MMM dd HH:mm:ss Z yyyy”);
set_field(“timestamp”, new_date);
end

how can i solve this issue ?

First you would get faster help if you format your postings in a way that somebody that is not you can unterstand what you write easily.

Your Sample timestamp is: Fri Dec 21 19:09:36 +0000 2018 and you try to match that with the following settings: EEE MMM dd HH:mm:ss Z yyyy. For me I got this parsing with the following working:
E MMM dd HH:mm:ss Z Y.

But I guess (because of your bad formatting) that the date is not the only content of your sample timestamp and you need to parse place that into a single field before you use the parse_date function.

I am changed my pipeline format as E MMM dd HH:mm:ss Z Y but no luck
rule “parse event timestamp”
when
true
then
let new_date = parse_date(to_string($message.Timestamp_tweet), “E MMM dd HH:mm:ss Z Y);”);
set_field(“timestamp”, new_date);
end
log sample
“Mon Jan 07 17:30:00 +0000 2019 @Very excited that Apple is bringing AirPlay and iTunes to my Vizio TV (and apparently Samsung TVs too). An important https://twitter.com/i/web/status/1082328512420171776”

i have only grokked the timestamp(Mon Jan 07 17:30:00 +0000 2019) into Timestamp_tweet

grok_sample886×612 34.8 KB

Is anything wrong with my grok?

the question is - does the grok date extractor run as extractor or processing pipeline? Does it run before or after your rule?

because the rule above can only work if the field “Timestamp_tweet” is given in the message.

run as processing pipeline

Does it run before or after your rule? I didn’t get that ?

1)created grok for timestamp
2)add new pipeline
3)created rule for pipeline

i am done this steps and i got Invalid format error

timestamp_issue.PNG973×57 6.85 KB

can you please be a little more specific about created grok for timestamp - what does that mean exactly for you? where did you created that and how should that run on incoming messages?

“Mon Jan 07 17:30:00 +0000 2019 @Very excited that Apple is bringing AirPlay and iTunes to my Vizio TV (and apparently Samsung TVs too). An important https://t.co/4kbvJRfGwb”

• I want to change graylog timestamp to this log timestamp
• i am using input as gelf tcp in graylog and log comes from fluentd
• created grok for timestamp:- through system --> grok, I stored log timesamp value (Mon Jan 07 17:30:00 +0000 2019) in Timestamp_tweet
• Then i created new pipeline and rule
• i am following this url to fix my issue:- Searching imported logs by log timestamp, not time Graylog received the log
• rule:- rule “parse event timestamp”
  when
  true
  then
  let new_date = parse_date(to_string($message.Timestamp_tweet), “E MMM dd HH:mm:ss Z Y);”);
  set_field(“timestamp”, new_date);
  end
• i dont know how its comes with incoming messages ,after creating pipeline and its rule, i got a field called gl2_processing_error
  
  

  error_grok.PNG1326×148 21.1 KB

so you actually do not use any processing pipeline or extractor to make the field “Timestamp_tweet” available? The parse_date function will need the date to be the only value in the field as it will not try to match something that looks like the given date.

NO,how can i do it with processing pipeline? i am only grok the timestamp and stored in Timestamp_tweet and i created pipeline rule with this Timestamp_tweet
“rule “parse event timestamp”
when
true
then
let new_date = parse_date(to_string($message.Timestamp_tweet), “E MMM dd HH:mm:ss Z Y);”);
set_field(“timestamp”, new_date);
end”

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.