Failed to parse date

Hello guys,

I failed to parse this date 31/Oct/2019:10:52:48 +0100 using the date plugin :

date {
match => ["date", "dd/MMM/YYYY:HH:mm:ss Z"]
}

This is the error I got

Oct 31 12:08:42 centos7 logstash[22377]: [2019-10-31T12:08:42,568][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"proxy-squid-2019.10.31", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x73e3aad1], :response=>{"index"=>{"_index"=>"proxy-squid-2019.10.31", "_type"=>"_doc", "_id"=>"voWTIm4BHhkVqHsrga0P", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [date] of type [date] in document with id 'voWTIm4BHhkVqHsrga0P'. Preview of field's value: '31/Oct/2019:10:52:48 +0100'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [31/Oct/2019:10:52:48 +0100] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"Failed to parse with all enclosed parsers"}}}}}}

Thank you for your help

It's not the date filter that is failing, it is the mapping in elasticsearch. You would need a custom time formatter in the index template. That's really an elasticsearch question, not a logstash question.

Edited to add: The default target of the date filter is @timestamp. Did you mean to parse the [date] field and overwrite it?

Hello Badger,

Thank you for your help. Yes that's the point, I want to use the value of the field date : 31/Oct/2019:10:52:48 +0100 instead of the default target of the date filter @timestamp.

Thank you

OK, so use

date { match => ["date", "dd/MMM/YYYY:HH:mm:ss Z"] target => "date" }

Thank you @Badger , it works.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.