Dateparsefailure

chimbo84 · June 7, 2017, 2:13pm

I have a log line that reads something like the following (there is a space between the date and time, not a new line):

2017-06-07 10:15:42.406424+00:00,CSLUR,3,###########,###########,0xffffffff,310,026,61002,R,15,U,H

My logstash filter reads as such:

if ([message] =~ "CSLUR") {
csv {
columns => [
"date",
"event_type",
"log_ver",
"imsi",
"imei",
"tmsi",
"mcc",
"mnc",
"lac",
"acceptorreject",
"cause_code",
"whitelist",
"guest"
]
}
date {
match => [ "date", "ISO8601", "yyyy-MM-dd HH:mm:ss.SSSZZ" ]
}
}

I keep getting dateparsefailures and the @timestamp field is still read time, not message time. How do I debug the dateparsefailure?

magnusbaeck · June 7, 2017, 2:18pm

I'm not sure SSS likes microseconds. You might have to use SSSSSS or remove the last three digits from the date field (ES only supports millisecond resolution anyway). The mutate filter's gsub option can be used to trim the superfluous digits.

chimbo84 · June 7, 2017, 2:46pm

Thanks magnusbaeck. Changing it to "SSSSSS" worked.

I added a target date field and manually mapped it in ES to 'date' but should I need to do that (the mapping) in the future?

magnusbaeck · June 7, 2017, 6:17pm

I think ES's automapper automatically does the right thing in this case.

system · July 5, 2017, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.