ISO8601 in date filter

Adam_Szabo · July 20, 2017, 3:37pm

I'm pulling events in from a MariaDB database.
The event that arrives to Elasticsearch looks like this:

{
  "_index": "test",
  "_type": "logs",
  "_id": "AV1gkQx-9-vDP_XVWXk_",
  "_score": null,
  "_source": {
    "@timestamp": "2017-07-20T15:15:04.754Z",
    "a_field": "XXX",
    "other_field": "YYY",
    "@version": "1",
    "action": "INSERT",
    "detail": "ZZZ",
    "created_date": "2017-06-30T22:00:00.000Z",
    "some_id": 7893,
    "other_id": 4319,
    "tags": [
      "_dateparsefailure"
    ]
  },
  "fields": {
    "@timestamp": [
      1500563704754
    ]
  },
  "sort": [
    1500563704754
  ]
}

I tried using the created_date field as the timestamp with

filter {
    date {
        match => [ "created_date", "ISO8601" ]
        target => "@timestamp"
    }
}

Looking at the documentation, the format is exactly what I have:

ISO8601 - should parse any valid ISO8601 timestamp, such as 2011-04-19T03:44:01.103Z

Why do I get a _dateparsefailure in the end then?

system · August 17, 2017, 3:37pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.