Logstash date field error

bdn · June 10, 2020, 8:42am

I have log files from where I've to query documents through the date field. Here is the log date format.
2020-06-10 14:01:26
I've defined a grok pattern like below in Logstash for the log.

filter {
    grok {
           match => {"message" => "%{YEAR:YEAR}-%{MONTHNUM:MONTHNUM}-%{MONTHDAY:MONTHDAY} %{TIME:time} ........."
          }}
    mutate {
            add_field => {
              "log_timestamp" => "%{YEAR}-%{MONTHNUM}-%{MONTHDAY}"
 }}

Date field log_timestamp is working as expected but I've been receiving Logstash error message frequently because of this grok pattern. In a day, if there's a log document of around 100 then 10 logs will be discarded because of this error. Is there any better way to parse the log file and get the date field?

Error msg:

[2020-06-10T06:43:18,756][WARN ][logstash.outputs.elasticsearch][log] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"log-2020-06", :_type=>"_doc", :routing=>nil}, #LogStash::Event:0x7f4158ff], :response=>{"index"=>{"_index"=>"log-2020-06", "_type"=>"_doc", "_id"=>"KSSvm3IBbBjRTTrvQZx8", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse field [log_timestamp] of type [date] in document with id 'KSSvm3IBbBjRTTrvQZx8'. Preview of field's value: '%{YEAR}-%{MONTHNUM}-%{MONTHDAY}'", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"failed to parse date field [%{YEAR}-%{MONTHNUM}-%{MONTHDAY}] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"date_time_parse_exception: Failed to parse with all enclosed parsers"}}}}}}

bdn · June 15, 2020, 6:39am

Can anyone suggest on this?

gab.bernasconi · June 15, 2020, 1:26pm

I don't see anything wrong with your parsing. Nonetheless, if you are getting errors, I would try using explicit regular expressions, to make sure that you are getting what you expect.

For example, if your pattern is always exactly as you quoted, you could use this to parse it:

filter {
  grok {
    match => { "message" => "(?<YEAR>\d{4})-(?<MONTHNUM>\d{2})-(?<MONTHDAY>\d{2})\s(?<HOUR>\d{2}):(?<MINUTE>\d{2}):(?<SECOND>\d{2})" }
  }
}

These matches are stricter than the grok patterns you quoted, but maybe this can help to narrow down the problem.

bdn · June 18, 2020, 10:13am

Thank you for your reply.

I've followed your advice but still having the same issue. Here is the error message,

"reason"=>"failed to parse date field [%{YEAR}-%{MONTHNUM}-%{MONTHDAY}] with format [strict_date_optional_time||epoch_millis]", "caused_by"=>{"type"=>"date_time_parse_exception", "reason"=>"date_time_parse_exception: Failed to parse with all enclosed parsers"}}}}}}

gab.bernasconi · June 18, 2020, 12:40pm

What's the content of the message field for the message that gives you the error?

bdn · June 18, 2020, 3:34pm

Error is related to log_timestamp field, date field.
I found a similar problem reported on Github too.

system · July 16, 2020, 3:35pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date parsing errors I need help to debug Logstash	5	958	July 2, 2020
Failed to parse date field Logstash	5	4626	June 15, 2021
Failed parsing date from field - how to troubleshoot Logstash	2	1011	July 6, 2017
Logstash couldn't index date field for few log lines Logstash	4	489	July 12, 2019
Failed parsing date from field using logstash Logstash	8	1136	July 6, 2017

Logstash date field error

Related Topics