I have exactly the same issue. But the solution from alex22 doesn't work for me.
Here is my config:
filter {
if [type] == "apache-access" {
grok {
match => { "rawmsg" => "%{COMBINEDAPACHELOG}" }
}
date {
locale => "en"
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
}
}
This is the error from logstash:
"error"=>{
"type"=>"mapper_parsing_exception",
"reason"=>"failed to parse [timestamp]",
"caused_by"=>{
"type"=>"illegal_argument_exception",
"reason"=>"Invalid format: \"02/Feb/2016:08:22:19 +0100\" is malformed at \"/Feb/2016:08:22:19 +0100\""
}
}
I use logstash 2.1.1 and ElasticSearch 2.1.1. I've cleaned the ElasticSearch index as suggested by Alex22, but this doesn't help in my case.
If I search through the internet, then I've found a lot of similar issues. These issues were solved by adding the local to the date filter. But in my case that doesn't help. There is also a difference in the error message. The issue wich could be solved with the local, has an error message in the form "is malformed at "Feb/2016:08:22:19 +0100"", which indicates that the month couldn't be parsed. But my error message indicates that the date couldn't be parsed at the leading slash.
Any help would be appreciated!