_dateparsefailure ISO8106

tgdesrochers · February 8, 2018, 6:40pm

Elasticstack 6.1

I am trying to parse the following field/date:
"EventTime":"2018-02-08 12:43:35.951854Z"

I have used:

filter {   
  date {
    match => [ "EventTime", "yyyy-MM-dd HH:mm:ss:SSSZ" ]
  }
}

filter {   
  date {
    match => [ "EventTime", "ISO8106" ]
  }
}

And they all return a _dateparsefailure

I am not sure how to get the date to parse correctly

magnusbaeck · February 8, 2018, 7:03pm

match => [ "EventTime", "yyyy-MM-dd HH:mm:ss:SSSZ" ]

Have you tried SSSSSSS instead of SSS? Also, your date has a period between the seconds and microseconds, not a colon.

match => [ "EventTime", "ISO8106" ]

It's ISO8601.

tgdesrochers · February 8, 2018, 7:47pm

This eventually worked

filter {   
  date {
    match => ["EventTime", "yyyy-MM-dd HH:mm:ss.SSSSSSZ", "ISO8601" ]
  }
}

ISO8601 itself didn't work

Topic		Replies	Views
Logstash Date Parse failure Logstash	5	938	December 13, 2021
Dateparsefailure Logstash	4	635	July 5, 2017
message=>"Failed parsing date from field", :field=>"timestamp", :value=>"2016-09-14 15:43:48.258000", :exception=>"Invalid format: \"2016-09-14 15:43:48.258000\"", Logstash	3	1373	July 6, 2017
Dateparsefailure for "yyyy-MM-dd-HH:mm:ss.SSSZZ" format Logstash	3	2618	September 19, 2018
Getting _dateparsefailure on date filter Logstash	7	367	March 22, 2019