Logstash couldn't index date field for few log lines

Elastic Stack Logstash
1

Hello Experts,

I am getting below error while logstashing log file, but I do see only few of them are failing with this error and remaining logstashed with out any issues, why failing only few even there is no change in the date format?

Logstash error

> [2019-06-13T13:35:32,159][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"cas-log-1", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x49eb0676>], :response=>{"index"=>{"_index"=>"cas-log-1", "_type"=>"doc", "_id"=>"Y-uNUmsBOZFRwoF5eqNl", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [logdate] of type [date] in document with id 'Y-uNUmsBOZFRwoF5eqNl'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2019-06-12 05:48:57\" is malformed at \" 05:48:57\""}}}}}

Here is my date filter

date {
match => ["logdate", "yyyy-MM-dd HH:mm:ss"]
target => "logdate"
timezone => "PST8PDT"
}

Here is my log line looks like

INFO [Service Thread] 2019-06-11 07:57:44,325 StatusLogger.java:56 - ReadStage 2 0 10091338228 0 0

Thanks
Chandra

2

It apparentlly does not expect your date field to contain a time. Check the mapping of the index and see what formats it allows.

3

Hi @Badger,

But how come other log lines being parsed?
Parsed data from ES:
{
"_index": "cas-log-1",
"_type": "doc",
"_id": "bfqnUmsBOZFRwoF5gQbL",
"_version": 1,
"_score": null,
"_source": {
"tags": [
"cassandra",
"_grokparsefailure",
"cass_rest_all"
],
"java_file": "LocalAntiCompactionTask",
"threadId": 76983,
"path": "/opt/caslogs/mStore_PROD_MSG_Cluster-diagnostics-2019_06_13_05_59_01_UTC/nodes/10.175.51.39/logs/cassandra/system.log",
"process": "AntiCompactionExecutor",
"logdate": "2019-06-13T05:59:23.000Z",
"line_number": 140,
"message": "[repair #5ee0def0-8da0-11e9-a189-c50b5d88e2be] Starting anticompaction for OpsCenter.backup_reports on 0/0 sstables on 517 ranges.",
"@timestamp": "2019-06-13T21:03:56.952Z",
"@version": "1",
"host": "0.0.0.0",
"level": "INFO"
},
"fields": {
"@timestamp": [
"2019-06-13T21:03:56.952Z"
],
"logdate": [
** "2019-06-13T05:59:23.000Z"**
]
},
"sort": [
1560405563000
]
}

Thanks
Chandra

4

I do not know. Your elasticsearch instance contains the information that should allow you to determine that.

5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.