Dateparsefailure

chimbo84 · June 7, 2017, 2:13pm

I have a log line that reads something like the following (there is a space between the date and time, not a new line):

2017-06-07 10:15:42.406424+00:00,CSLUR,3,###########,###########,0xffffffff,310,026,61002,R,15,U,H

My logstash filter reads as such:

if ([message] =~ "CSLUR") {
csv {
columns => [
"date",
"event_type",
"log_ver",
"imsi",
"imei",
"tmsi",
"mcc",
"mnc",
"lac",
"acceptorreject",
"cause_code",
"whitelist",
"guest"
]
}
date {
match => [ "date", "ISO8601", "yyyy-MM-dd HH:mm:ss.SSSZZ" ]
}
}

I keep getting dateparsefailures and the @timestamp field is still read time, not message time. How do I debug the dateparsefailure?

magnusbaeck · June 7, 2017, 2:18pm

I'm not sure SSS likes microseconds. You might have to use SSSSSS or remove the last three digits from the date field (ES only supports millisecond resolution anyway). The mutate filter's gsub option can be used to trim the superfluous digits.

chimbo84 · June 7, 2017, 2:46pm

Thanks magnusbaeck. Changing it to "SSSSSS" worked.

I added a target date field and manually mapped it in ES to 'date' but should I need to do that (the mapping) in the future?

magnusbaeck · June 7, 2017, 6:17pm

I think ES's automapper automatically does the right thing in this case.

system · July 5, 2017, 6:17pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash _dateparsefailure error Logstash	6	17387	July 6, 2017
message=>"Failed parsing date from field", :field=>"timestamp", :value=>"2016-09-14 15:43:48.258000", :exception=>"Invalid format: \"2016-09-14 15:43:48.258000\"", Logstash	3	1352	July 6, 2017
_dateparsefailure again Logstash	3	1174	June 27, 2017
Logstash Timstamp:_dateparsefailure issue Logstash	8	765	May 9, 2018
Failed date from field Logstash	13	1830	July 6, 2017

Dateparsefailure

Related topics