Failed to parse multiple date fields

Elastic Stack Logstash
1

Hi,

my config file is

date is parsing only for LAST_MODIFIED_DATE. But not for CREATION_DATE and SUBMITTED_DATE
Suggest me the way to fix this.
Thanks!!!!!

2

What does an example event look like? No screenshot please, use copy/paste from Kibana or a stdout { codec => rubydebug } output.

3

input is

in output am getting
"tags" => [
[0] "_dateparsefailure"

4

There are a couple of things that the date filter will be unhappy about:

  • The month name is uppercase.
  • I don't think it support nanoseconds.

Your Logstash log should contain clues about what it complains about.

5

Hi
Thanks for ur reply magnus.

I have tried a sample code by giving single date,It worked.
Yes,Timestamp wont take nano seconds.It takes milli second only.
am getting _dateparsefailure error only when i give multiple date filters.
input is
[quote]
"o920002",0,15,"default","1100000","o920002","INCOMPLETE","","",0,13-DEC-13 03.14.15.968 PM,"",15-DEC-13 05.36.52.550 PM,"","","",0,"",0,"saraDefaultSite","saraDefaultSite",0
[/quote]
config is
[quote]

date {
locale => "en"
match => [ "CREATION_DATE", "dd-MMM-yy hh.mm.ss.SSSa"]
target => "CREATION_DATE"
}

date {
locale => "en"
match => [ "SUBMITTED_DATE", "dd-MMM-yy hh.mm.ss.SSS a"]
target => "SUBMITTED_DATE"
}

date {
match => [ "LAST_MODIFIED_DATE", "dd-MMM-yy hh.mm.ss.SSS a"]
target => "@timestamp"
}
[/quote]
The output file is
[quote]
"ORDER_ID" => "o920002",
"TYPE" => "0",
"VERSION" => "15",
"ORDER_CLASS_TYPE" => "default",
"PROFILE_ID" => "1100000",
"DESCRIPTION" => "o920002",
"STATE" => "INCOMPLETE",
"STATE_DETAIL" => "",
"CREATED_BY_ORDER" => "",
"ORIGIN_OF_ORDER" => "0",
"CREATION_DATE" => "2013-12-13T09:44:15.968Z",
"SUBMITTED_DATE" => "",
"LAST_MODIFIED_DATE" => "15-DEC-13 05.36.52.550 PM",
"COMPLETED_DATE" => "",
"PRICE_INFO" => "",
"TAX_PRICE_INFO" => "",
"EXPLICITLY_SAVED" => "0",
"AGENT_ID" => "",
"SALES_CHANNEL" => "0",
"CREATION_SITE_ID" => "saraDefaultSite",
"SITE_ID" => "saraDefaultSite",
"GWP" => "0",
"mytime" => "",
"tags" => [
[0] "_dateparsefailure"
]
}
[/quote]
my date is parsing only for target => "@timestamp"
but not for target => "CREATION_DATE" and target => "SUBMITTED_DATE"
and I don't think there is a problem with uppercase of month.

6

In this example SUBMITTED_DATE is an empty string, would it not be that which is causing the _dateparsefailure? Does the @timestamp field get set properly in your example? You may want to wrap the date processing in conditionals to verify that the field contains data before running the date filter.

7

Thank a lot Christian,
It worked .that empty string was causing _dateparsefailure.I will use conditionals and fix it.:slight_smile: