Closed VictorRobellini closed 12 months ago
Very interesting. It makes sense. I guess you're intending it to default to the current year? Seems that might not be too reliable when processing data around dec/jan.
I completely agree but it's how the logs are delivered. The format is called ts-syslog.
ts-syslog ("Jan 02 15:04:05", parsed time is set to the current year)
https://github.com/influxdata/telegraf/blob/master/plugins/parsers/grok/README.md
Hi,
Looking through older issues.
Fundamentally, you need to specify a year at some point. You cannot assume the use of the current of year. While in the middle of the year it might be obvious to use the current year, but this isn't always the case. For example on new years, if you start putting 2024 on everything that could be wrong while parsing logs from Dec 31, 2023.
The suggestion then is for users to not parse the timestamp, capture it as a a field, and use starlark to set the year based on their situation and then update the timestamp with that new field. This is a bit messy, but when you try to parse without a year, you will eventually need to set one and knowing what to set it to is not easily known or set.
Relevant telegraf.conf:
Logfile
telegraf --test --config /usr/local/etc/telegraf.conf
Influx results
System info:
Telegraf 1.17.0 Influxdb 1.8.3 pfSense 2.5.0
Steps to reproduce:
Use the above telegraf config to parse the log file posted in this issue report.
Expected behavior:
The date would be properly parsed
Actual behavior:
Somehow I end up time traveling.
Additional info:
This timestamp is referenced as "Stamp" in the go docs and is referenced in many other documents. https://github.com/golang/go/blob/0fdc3801bfd43d6f55e4ea5bf095e1ea55430339/src/time/format.go#L86
Go sample
https://play.golang.org/p/ihlq_i2rB4a