[FATAL] 2018-05-04 16:06:38.656 [LogStash::Runner] runner - The given configuration is invalid. Reason: Illegal pattern component: T when trying to parse date

dyl · May 4, 2018, 2:20pm

Hello everybody,

I've got a CSV document which is imported thanks to fileabeat to logstash input, then it is filtered and then goes to ES to be saw in Kabana.

I want to parse a date from this CSV file to use it for the @timestamp.

This date is : "2018-02-28 23:00 GMT" (incremented each day of the month..)

so my pipeline looks like this :

input
{
  beats
  {
    port => 5044
  }
}
filter
{
  csv
  {
    separator => ";"
    columns => ["jour","type","total"]
    convert =>
        {
            "total" => "float"
        }
  }
  if [message] =~ /^jour/
  {
   drop {}
  }
  date
  {
    match => [ "jour", "yyyy-MM-dd HH:mm GMT" ]
  }
}
output
{
  elasticsearch
  {
    hosts => "http://localhost:9200"
    index => "ironport"
  }
  stdout{}
}

But when I test my pipeline before to use it, i've got this error :

[FATAL] 2018-05-04 16:06:38.656 [LogStash::Runner] runner - The given configuration is invalid. Reason: Illegal pattern component: T

Is it the "GMT" which is problematic ? If yes, how can I do to deal with this date format ?

Can somebody help me ?

Thx for all for your help.

Badger · May 4, 2018, 4:26pm

date { match => [ "message", "yyy-MM-dd HH:mm ZZZ" ] }

magnusbaeck · May 4, 2018, 7:42pm

If you want to match the literal string "GMT" you need to surround it in single quotes. If you want the date filter to parse the timezone name I don't think that'll work.

Badger · May 4, 2018, 8:29pm

In 6.2.3 it works. It is listed as an alias on the Joda page. EST is now on there too as a canonical id!

system · June 1, 2018, 8:30pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.