Getting _dateparsefailure for a log file having two timestamps

Hello My log file looks like:

    "textPayload": "{'testkey': 'testvalue'}",
    "insertId": "12345-12345",
    "resource": {
      "type": "cloud_function",
      "labels": {
        "project_id": "project-p123",
        "region": "us-east4",
        "function_name": "testfunction"
    "timestamp": "2021-11-16T16:07:56.647Z",
    "severity": "INFO",
    "labels": {
      "execution_id": "uji09345"
    "logName": "projects/project-p123/logs/cloudfunctions",
    "trace": "projects/project-p123/traces/uhne1234",
    "receiveTimestamp": "2021-11-16T16:08:06.721583231Z"

And my filter looks like:

filter {
            date { 
                match => ["timestamp", "ISO8601"]
                target => ["@timestamp"]
                remove_field => ["timestamp"] 
            date { 
                match => ["receiveTimestamp", "ISO8601"]
                target => ["receiveTimestamp"]
                #remove_field => ["receiveTimestamp"] 

All the other fields are coming in perfectly fine except the timestamps.
Please help in fixing this issue.
Thank you.

Can you post an example of what it is coming in as?

This is what I get:

It's in the tags! You have a _dateparsefailure. Also that screenshot is not the same as your example.

This is probably because your receiveTimestamp may be too precise for the date filter.
Anything beyond milliseconds is not parsed iirc.
It don't see any problems with your timestamp

Have you tried not using the date filter and letting Elasticsearch recognize the timestamp on its own?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.