CSV _dateparsefailure

lowdmt · April 26, 2018, 8:55pm

Hi,

I have an issue with _dateparsefailure

#example from CSV FirstNotifiedAt 31/03/2018 23:58:00
filter {
date {
match => ["FirstNotifiedAt", "dd/MM/yyyy HH:mm:ss"]
target => "@timestamp"
}
}

The @timestamp in Kibana is still showing the time the CSV was imported and not the "FirstNotifiedAt" time that I'm looking for.

"fields": {
"@timestamp": [
"2018-04-26T20:47:01.136Z"
]
},

Any help appreciated

yaauie · April 26, 2018, 9:09pm

In the final event that was exported to Elasticsearch, what is the value of the FirstNotifiedAt field? I'm not seeing anything obvious from your pattern and the string you pasted in the comment above it

lowdmt · April 27, 2018, 12:39pm

Hi,

I'm looking in Kibana in the JSON output

"snhZone": "Global",
"LastNotifiedAt": "02/01/2018 06:25",
"Owner": "SYSTEM",

If thats what you mean?

magnusbaeck · April 27, 2018, 5:23pm

Okay, that's the LastNotifiedAt field. What about FirstNotifiedAt?

lowdmt · April 27, 2018, 5:45pm

Sorry pasted in the wrong one....although it's the same format.

"Event": "Down",
"FirstNotifiedAt": "01/01/2018 12:22",

magnusbaeck · April 27, 2018, 7:34pm

The timestamp doesn't include seconds but your date pattern does.

lowdmt · April 27, 2018, 8:16pm

removing the :ss worked. Sort of.

I think this is an issue in the way the csv is produced.

It's a little peculiar as the csv shows the FirstNotifiedAt as a 'custom' format in excel. It is formatted 31/03/2018 23:56:00

There is a double space between date and time
There is a :ss

I haven't changed the csv (the export from the software needs to be automated and altering the csv format is a non starter)...losing the :ss isn't critical for my purposes so I guess I'm happy.

},
"fields": {
"@timestamp": [
"2018-02-24T13:26:00.000Z"

Thanks Magnus

system · May 25, 2018, 8:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.