Elasticsearch Failed to Parse Time Field

Morgan_Kisienya · June 22, 2017, 6:07am

Hi all,

I have the following field from logstash in json

"DateFirstSeen" => 2017-06-21T19:47:29.782Z,

However elasticsearch fails to parse the filed and returns the following error

[2017-06-22T15:57:06,877][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"nfdump-2017.06.22", :_type=>"nw-events", :_routing=>nil}, 2017-06-22T05:57:05.329Z server.com %{message}], :response=>{"index"=>{"_index"=>"nfdump-2017.06.22", "_type"=>"nw-events", "_id"=>"AVzOYCaTuo1nKLuBo50c", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [DateFirstSeen]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: "Date first seen Date la...""}}}}}

Many thanks for your help

Morgan_Kisienya · June 22, 2017, 8:26am

I got the error.

I was including header line on CSV that was being parsed by logstash, the header line included "Data last seen" as a value i.e.
"DateFirstSeen" => "Date first seen",
I have removed the header line. All is ok.

system · July 20, 2017, 8:36am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.