Logstash couldn't index date field for few log lines

chandukreddi · June 13, 2019, 8:44pm

Hello Experts,

I am getting below error while logstashing log file, but I do see only few of them are failing with this error and remaining logstashed with out any issues, why failing only few even there is no change in the date format?

Logstash error

> [2019-06-13T13:35:32,159][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"cas-log-1", :_type=>"doc", :routing=>nil}, #<LogStash::Event:0x49eb0676>], :response=>{"index"=>{"_index"=>"cas-log-1", "_type"=>"doc", "_id"=>"Y-uNUmsBOZFRwoF5eqNl", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [logdate] of type [date] in document with id 'Y-uNUmsBOZFRwoF5eqNl'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2019-06-12 05:48:57\" is malformed at \" 05:48:57\""}}}}}

Here is my date filter

date {
match => ["logdate", "yyyy-MM-dd HH:mm:ss"]
target => "logdate"
timezone => "PST8PDT"
}

Here is my log line looks like

INFO [Service Thread] 2019-06-11 07:57:44,325 StatusLogger.java:56 - ReadStage 2 0 10091338228 0 0

Thanks
Chandra

Badger · June 13, 2019, 10:07pm

It apparentlly does not expect your date field to contain a time. Check the mapping of the index and see what formats it allows.

chandukreddi · June 13, 2019, 11:06pm

Hi @Badger,

But how come other log lines being parsed?
Parsed data from ES:
{
"_index": "cas-log-1",
"_type": "doc",
"_id": "bfqnUmsBOZFRwoF5gQbL",
"_version": 1,
"_score": null,
"_source": {
"tags": [
"cassandra",
"_grokparsefailure",
"cass_rest_all"
],
"java_file": "LocalAntiCompactionTask",
"threadId": 76983,
"path": "/opt/caslogs/mStore_PROD_MSG_Cluster-diagnostics-2019_06_13_05_59_01_UTC/nodes/10.175.51.39/logs/cassandra/system.log",
"process": "AntiCompactionExecutor",
"logdate": "2019-06-13T05:59:23.000Z",
"line_number": 140,
"message": "[repair #5ee0def0-8da0-11e9-a189-c50b5d88e2be] Starting anticompaction for OpsCenter.backup_reports on 0/0 sstables on 517 ranges.",
"@timestamp": "2019-06-13T21:03:56.952Z",
"@version": "1",
"host": "0.0.0.0",
"level": "INFO"
},
"fields": {
"@timestamp": [
"2019-06-13T21:03:56.952Z"
],
"logdate": [
** "2019-06-13T05:59:23.000Z"**
]
},
"sort": [
1560405563000
]
}

Thanks
Chandra

Badger · June 14, 2019, 12:04am

I do not know. Your elasticsearch instance contains the information that should allow you to determine that.

system · July 12, 2019, 12:04am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.