Hello everybody,
I know this subject is asked many time but after many try, I don't understand some things...
Here is my data input
"@timestamp" => 2017-07-10T14:12:01.442Z,
"data_completiondate" => 2017-07-01T02:02:35.610Z,
"xdateinserted" => 2017-07-01T00:00:10.153Z,
Here is my filter logstash cfg
filter { date { match => ["xdateinserted" , "yyyy-MM-dd'T'HH:mm:ss.SSSZ"] } }
I got a [0] "_dateparsefailure" and don't understand why because my match seems ok for me.
I've tried ISO8601 too.
I have follow the guide : https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html
and got the same result with
> input {
> stdin {}
> }
> filter {
> date {
> match => [ "message", "MMM dd HH:mm:ss" ]
> }
> }
> output {
> stdout {codec => rubydebug}
> }
Input => Apr 17 09:32:01
> {
> "@timestamp" => 2017-07-10T15:52:13.091Z,
> "@version" => "1",
> "host" => "SWPAFRCT801",
> "message" => "Apr 17 09:32:01\r",
> "tags" => [
> [0] "_dateparsefailure"
> ]
> }
Something is really weird and not understandable...
I'm new on logstash, maybe my fault.
FYI, i'm using logstash 5.4.3 actually
How are you getting the data into Logstash? Might it be that those fields are already dates, and not strings?
In first post, it's a datetime field getting on an sql server,
Second post, it's directly on input so I think it's a string ?
What does the event look like if you output it to a stdout output plugin with a rubydebug codec?
a dateparsefailure.
> {
> "@timestamp" => 2017-07-10T16:16:01.944Z,
> "xdateinserted" => 2017-07-01T00:00:10.153Z,
> "@version" => "1",
> "tags" => [
> [0] "_dateparsefailure"
> ]
> }
Configuration :
> filter {
> date {
> match => ["xdateinserted" , "yyyy-MM-dd'T'HH:mm:ss.SSSZ"]
> }
> }
> output {
> stdout {codec => rubydebug}
> }
Any news ?
As far as I can see it looks like it may already be a date field as there are no quotation marks to indicate that it is a string.
Thanks for the return.
Yes it's already a date field from sql server but how can I replace the default timestamp by this value?
And why when I tried the action of my second msg, it's again a dateparsefailure from string input?
Just want to understand, sorry.
Use a function date .... It's the best solution .
Yes it's already a date field from sql server but how can I replace the default timestamp by this value?
You can just use a mutate filter to copy the field value.
And why when I tried the action of my second msg, it's again a dateparsefailure from string input?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.