Mapper_parsing_exception for timestamp field


(Dee) #1

Hi,
For some reason logstash can't parse a field called timestamp in my json events in some environments (on other environments it works fine)
This is the error I see in logstash logs:

"error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [timestamp]", "caused_by"=>{"type"=>"number_format_exception", "reason"=>"For input string: "25-05-2017 11:44:09.953""}}}}, :level=>:warn}

First thing I though was different mappings but the mappings are the same for all environments.
Any idea what can cause this sporadic behavior? And what is the meaning of this error?

Thanks!


(Magnus Bäck) #2

Well, what is the mapping of the timestamp field?


(Dee) #3

This is the mapping for @timestamp field:
"@timestamp":{"type":"date","format":"strict_date_optional_time||epoch_millis"}


(Magnus Bäck) #4

That's the @timestamp field. The log entry you posted shows ES complaining about the timestamp field.


(Dee) #5

I see, checking again I see that I really don't have any mapping for a field called "timestamp". In another environment where I see no exceptions I do see this in my mapping:
"timestamp":{"type":"string","norms":{"enabled":false}

Could this be the issue? My index templates in both environments are the same, so how could this happen?

Thanks.


(Magnus Bäck) #6

Unless you list timestamp in your index template (and you haven't disabled the automapper) ES will automatically try to map the field. It's weird that it complains about this field if it doesn't have a mapping.

Do you really want to keep the timestamp field? It looks like a temporary field where you've stored the timestamp from the log so that you can parse it with the date filter. If so I'd just delete the field. If you want to keep it, how about adding an explicit mapping in your index template? You can make it a date field and configure it to support your date format.


(Dee) #7

In my json events I am actually looking for a "time" field and parse it, then removing it-

date {
match => [ "time", "ISO8601", "dd-MM-yyyy HH:mm:ss", "dd-MM-yyyy HH:mm:ss:SSS", "dd-MM-yyyy HH:mm:ss.SSS", "yyyy-MM-dd HH:mm:ss,SSS", "HH:mm:ss" ]
remove_field => ["time"]
}

I think i'll add a line to match "timestamp" as well, and remove it afterwards.
It's just weird to me that on one environment I don't get these exceptions and on another one I do.

Thanks!


(system) #8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.