Problems parsing time in logstash with date filter

anchasis · December 29, 2017, 12:12pm

I have a problem parsing a timestamp of the format "2017-06-28T10:28:18.000Z". It should match both
"ISO8601" and "YYYY-MM-dd'T'HH:mm:ss.SSS'Z'" but apparently it doesn't. All other formats get parsed correctly

I tried everything but it doesn't get converted to timestamp type. I use this filter:

date {
    match => [
        "custom_time_field",
        "YYYY-MM-dd HH:mm:ss.SSS",
        "YYYY-MM-dd HH:mm:ss.SS",
        "YYYY-MM-dd HH:mm:ss.S",
        "YYYY-MM-dd HH:mm:ss",
        "YYYY-MM-dd'T'HH:mm:ss.SSS'Z'",
        "YYYY-MM-dd'T'HH:mm:ss.SS'Z'",
        "YYYY-MM-dd'T'HH:mm:ss.S'Z'",
        "YYYY-MM-dd'T'HH:mm:ss'Z'",
        "ISO8601"
    ]
    target => 'custom_time_field_time'
}

I am out of idea's. Anyone that can give me a pointer would be very helpful

anchasis · December 29, 2017, 3:04pm

Solution found,

in the filter section there was also a

convert => {
...
}

filter that tried to convert that field to date_time type. I guess this must have caused a race condition in some cases with the date filter

system · January 26, 2018, 3:05pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.