Logstash not sending to ES when date parsing fails

dcroonen · March 23, 2016, 3:37pm

Hi

I have an epoch timestamp which I want to get into the @timestamp field in Elasticsearch/Kibana. When I use the code:

date {
match => [ "slowlog_timestamp","UNIX" ]
remove_field => [ "slowlog_timestamp" ]
}

I get a _dateparsefailure and nothing is to be send to Elasticsearch/Kibana. When I use the code:

date {
match => [ "slowlog_timestamp","UNIX" ]
remove_field => [ "slowlog_timestamp" ]
target => "myTime"
}

I get no _dateparsefailure and the event ends up in Elasticsearch/Kibana (see screenshot).

Anybody any ideas?

Thanks in advance.

Regards
Davy

magnusbaeck · March 24, 2016, 7:24pm

What does the raw message that results in _dateparsefailure look like? I'm interested in what the slowlog_timestamp field looks like.

dcroonen · March 25, 2016, 12:33pm

Hi Magnus

Thanks for your response. After a lot of debugging I finally found the root cause of my problem. Because I was using (old) logdata from a production server over and over again and because I was modifying the timestamp field, Elasticsearch putted the shipped data in another (older) index then the one (current) I was looking at (really pebkac isn't it).

The _dateparsefailure mentioned was also caused by me because I was trying to do incorrect conversions in an effort to debug the problem but looking in the wrong the direction.

Thanks again and sorry for (wasting) your time.

Regards

Topic		Replies	Views
_dateparsefailure - Failing to parse timestamp field into @timestamp Logstash docker	5	372	May 11, 2020
@timestamp parsing failure Elasticsearch	1	707	May 12, 2019
Logstash Date Filter Silently Failing, Never Passes Events to ES Logstash	3	511	March 7, 2017
Parsing the date and sending to ElasticSearch Logstash	13	7843	May 26, 2017
Failed to parse date field Logstash	5	4674	June 15, 2021

Logstash not sending to ES when date parsing fails

Related topics