Date parsing error

asgoh05 · August 2, 2017, 9:21am

Hello, I'm beginner of ELK.
I got a problem while mapping date of my log file.
Does anybody know how to map this kind of date format ? (20170802-022130.497289)

My mapping source -->

"column1": {
"type": "date",
"format" : "yyyyMMdd-HHmmss.SSSSSS"
},

mapper_parsing_exception -->

"reason"=>"failed to parse [column1]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: "20170802-022130.497289" is malformed at "289""}}}}}

Ravi_Shanker_Reddy · August 2, 2017, 9:50am

I am using 5.1.1. For me its working fine. FYI adding all the mappings

PUT test-date
{
  "mappings": {
    "logs":{
      "properties": {
        "column1":{
          "type": "date",
          "format": "yyyyMMdd-HHmmss.SSSSSS"
        }
      }
    }
  }
}

Inserted one document

POST test-date/logs/1
{
  "column1": "20170802-022130.497289"
}

Search using range query

GET test-date/_search
{
  "query": {
    "range": {
      "column1": {
        "format": "yyyy-MM-dd", 
        "gte": "2017-08-01",
        "lte": "2017-08-03"
      }
    }
  }
}

asgoh05 · August 3, 2017, 12:29am

Oh! Thanks
I think "logs" parameter was missed.
It's working well now!

asgoh05 · August 3, 2017, 4:50am

Thanks, but I got one more problem.
This is what I saw in Kibana.

when I do mapping with this format, time(hh) value has been changed.

Why does it happen?

Original Value : 20170803-050214.627322
Mapping Value : 20170803-140214.627

Ravi_Shanker_Reddy · August 3, 2017, 4:52am

ES always stores the date in GMT format.

asgoh05 · August 3, 2017, 4:57am

Yes, I can understand that GMT format was used.
But I cannot understand why hour is changed from 05 to 14

Original Value : 20170803-050214.627322
Mapping Value : 20170803-140214.627

Ravi_Shanker_Reddy · August 3, 2017, 4:58am

In what time zone you written your log???

asgoh05 · August 3, 2017, 5:08am

Thanks for your really fast support!

Oh! now I understand what you mean.
I was using (UTC+01:00) Amsterdam for log file, and (UTC+09:00) Seoul for ELK Server.

There are 8h of time difference . Not exactly matching with time difference but anyway, Is there any method to ignore time zone then?

Ravi_Shanker_Reddy · August 3, 2017, 5:12am

Try this mapping

PUT test-date
{
  "mappings": {
    "logs":{
      "properties": {
        "column1":{
          "type": "date",
          "format": "yyyyMMdd-HHmmss.SSSSSS Z"
        }
      }
    }
  }
}

And index the data with time zones

POST test-date/logs/1
{
  "column1": "20170802-022130.497289 +0100"
}

Ravi_Shanker_Reddy · August 3, 2017, 5:16am

Sorry what you understand here is wrong.

If you don't pass time zone ES thinks that you are passing GMT time. Means UTC +00:00. So you have nine hours gap there

asgoh05 · August 3, 2017, 5:31am

Yes, you were right!
It was not the problem of data.

I corrected time zone of Kibana which was browser default.
Management -> Advanced Setting -> dateFormat:tz to Etc:GMT
and it displayed perfectly!

Anyway thank you very much Ravi

Best Regards
SG

system · August 31, 2017, 5:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.