Failed to parse multiple date fields

setlem · October 19, 2016, 11:15am

Hi,

my config file is

date is parsing only for LAST_MODIFIED_DATE. But not for CREATION_DATE and SUBMITTED_DATE
Suggest me the way to fix this.
Thanks!!!!!

magnusbaeck · October 19, 2016, 12:16pm

What does an example event look like? No screenshot please, use copy/paste from Kibana or a stdout { codec => rubydebug } output.

setlem · October 19, 2016, 12:23pm

input is

in output am getting
"tags" => [
[0] "_dateparsefailure"

magnusbaeck · October 19, 2016, 1:13pm

There are a couple of things that the date filter will be unhappy about:

The month name is uppercase.
I don't think it support nanoseconds.

Your Logstash log should contain clues about what it complains about.

setlem · October 20, 2016, 5:50am

Hi
Thanks for ur reply magnus.

I have tried a sample code by giving single date,It worked.
Yes,Timestamp wont take nano seconds.It takes milli second only.
am getting _dateparsefailure error only when i give multiple date filters.
input is
[quote]
"o920002",0,15,"default","1100000","o920002","INCOMPLETE","","",0,13-DEC-13 03.14.15.968 PM,"",15-DEC-13 05.36.52.550 PM,"","","",0,"",0,"saraDefaultSite","saraDefaultSite",0
[/quote]
config is
[quote]

date {
locale => "en"
match => [ "CREATION_DATE", "dd-MMM-yy hh.mm.ss.SSSa"]
target => "CREATION_DATE"
}

date {
locale => "en"
match => [ "SUBMITTED_DATE", "dd-MMM-yy hh.mm.ss.SSS a"]
target => "SUBMITTED_DATE"
}

date {
match => [ "LAST_MODIFIED_DATE", "dd-MMM-yy hh.mm.ss.SSS a"]
target => "@timestamp"
}
[/quote]
The output file is
[quote]
"ORDER_ID" => "o920002",
"TYPE" => "0",
"VERSION" => "15",
"ORDER_CLASS_TYPE" => "default",
"PROFILE_ID" => "1100000",
"DESCRIPTION" => "o920002",
"STATE" => "INCOMPLETE",
"STATE_DETAIL" => "",
"CREATED_BY_ORDER" => "",
"ORIGIN_OF_ORDER" => "0",
"CREATION_DATE" => "2013-12-13T09:44:15.968Z",
"SUBMITTED_DATE" => "",
"LAST_MODIFIED_DATE" => "15-DEC-13 05.36.52.550 PM",
"COMPLETED_DATE" => "",
"PRICE_INFO" => "",
"TAX_PRICE_INFO" => "",
"EXPLICITLY_SAVED" => "0",
"AGENT_ID" => "",
"SALES_CHANNEL" => "0",
"CREATION_SITE_ID" => "saraDefaultSite",
"SITE_ID" => "saraDefaultSite",
"GWP" => "0",
"mytime" => "",
"tags" => [
[0] "_dateparsefailure"
]
}
[/quote]
my date is parsing only for target => "@timestamp"
but not for target => "CREATION_DATE" and target => "SUBMITTED_DATE"
and I don't think there is a problem with uppercase of month.

Christian_Dahlqvist · October 20, 2016, 5:59am

In this example SUBMITTED_DATE is an empty string, would it not be that which is causing the _dateparsefailure? Does the @timestamp field get set properly in your example? You may want to wrap the date processing in conditionals to verify that the field contains data before running the date filter.

setlem · October 20, 2016, 6:21am

Thank a lot Christian,
It worked .that empty string was causing _dateparsefailure.I will use conditionals and fix it.