Dateparsefailure


(Tim) #1

I have a log line that reads something like the following (there is a space between the date and time, not a new line):

2017-06-07 10:15:42.406424+00:00,CSLUR,3,###########,###########,0xffffffff,310,026,61002,R,15,U,H

My logstash filter reads as such:

if ([message] =~ "CSLUR") {
csv {
columns => [
"date",
"event_type",
"log_ver",
"imsi",
"imei",
"tmsi",
"mcc",
"mnc",
"lac",
"acceptorreject",
"cause_code",
"whitelist",
"guest"
]
}
date {
match => [ "date", "ISO8601", "yyyy-MM-dd HH:mm:ss.SSSZZ" ]
}
}

I keep getting dateparsefailures and the @timestamp field is still read time, not message time. How do I debug the dateparsefailure?


(Magnus Bäck) #2

I'm not sure SSS likes microseconds. You might have to use SSSSSS or remove the last three digits from the date field (ES only supports millisecond resolution anyway). The mutate filter's gsub option can be used to trim the superfluous digits.


(Tim) #3

Thanks magnusbaeck. Changing it to "SSSSSS" worked.

I added a target date field and manually mapped it in ES to 'date' but should I need to do that (the mapping) in the future?


(Magnus Bäck) #4

I think ES's automapper automatically does the right thing in this case.


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.