Failed to parse date field in ELK stack 7.0

janmichae.reyes4 · May 17, 2020, 10:12am

hi,

Seeking your help on the issue that i've encountered. see logstash logs

[2020-05-17T18:08:04,561][WARN ][logstash.outputs.elasticsearch][main][7a2e4f1adfc06df81621c72c479da896bcfd3869a4bb01f7a4d4115bed9c9c96] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"filebeat-2020.05.17", :routing=>nil, :_type=>"_doc"}, #LogStash::Event:0x7a5ddd11], :response=>{"index"=>{"_index"=>"filebeat-2020.05.17", "_type"=>"_doc", "_id"=>"QToaInIBZskL-m562WvP", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [@timestamp] of type [date] in document with id 'QToaInIBZskL-m562WvP'. Preview of field's value: '2020-05-17T10:08:09.493Z'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [2020-05-17T10:08:09.493Z] with format [epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"Failed to parse with all enclosed parsers"}}}}}}

Thank you

Badger · May 17, 2020, 3:09pm

You have an index template that says the [@timestamp] field has to be in the epoch_millis format, but you are sending it an ISO8601 format. I suggest you change your index template.

janmichae.reyes4 · May 18, 2020, 6:45am

Thank you for the response. Will have this try.

Thank you.

system · June 15, 2020, 6:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.