Dateparsefailure

chimbo84 · June 7, 2017, 2:13pm

I have a log line that reads something like the following (there is a space between the date and time, not a new line):

2017-06-07 10:15:42.406424+00:00,CSLUR,3,###########,###########,0xffffffff,310,026,61002,R,15,U,H

My logstash filter reads as such:

if ([message] =~ "CSLUR") {
csv {
columns => [
"date",
"event_type",
"log_ver",
"imsi",
"imei",
"tmsi",
"mcc",
"mnc",
"lac",
"acceptorreject",
"cause_code",
"whitelist",
"guest"
]
}
date {
match => [ "date", "ISO8601", "yyyy-MM-dd HH:mm:ss.SSSZZ" ]
}
}

I keep getting dateparsefailures and the @timestamp field is still read time, not message time. How do I debug the dateparsefailure?

magnusbaeck · June 7, 2017, 2:18pm

I'm not sure SSS likes microseconds. You might have to use SSSSSS or remove the last three digits from the date field (ES only supports millisecond resolution anyway). The mutate filter's gsub option can be used to trim the superfluous digits.

chimbo84 · June 7, 2017, 2:46pm

Thanks magnusbaeck. Changing it to "SSSSSS" worked.

I added a target date field and manually mapped it in ES to 'date' but should I need to do that (the mapping) in the future?

magnusbaeck · June 7, 2017, 6:17pm

I think ES's automapper automatically does the right thing in this case.

system · July 5, 2017, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
_dateparsefailure again Logstash	3	1148	June 27, 2017
Data parse error ["_dateparsefailure"] Logstash	9	1031	August 15, 2018
Logstash Timstamp:_dateparsefailure issue Logstash	8	721	May 9, 2018
Dateparsefailure on conversion Logstash	3	302	July 10, 2018
_dateparsefailure when trying to overwrite @timestamp Logstash	8	146	June 7, 2024

Dateparsefailure

Related Topics