Saved field "logdate" of data view "app*" is invalid for use with the "Date Histogram" aggregation

userR · March 28, 2022, 3:35pm

Recently, we upgraded our production machine which meant I would have to re-deploy Filebeat on this new server. All the log paths and log formats are the same, however, for whatever reason, it is having an issue with logdate.

This was not an issue with the old production server so I am a little confused why it is an issue with the new server with the same log data.

    date {
      match => ["logdate", "yyyy-MM-dd HH:mm:ss,SSS"]
      target => "logdate"
      timezone => "US/Pacific"
    }

Nothing in my configuration has changed. This is what I see when I use the timestamp date histogram.

userR · March 28, 2022, 3:48pm

It looks like the new prod actually added more info to the log date. Previously, it was something like:

2022-03-25 15:59:44,351

Now it has added that extra -0700. Seems like an easy fix, will logdate still have an issue since some logs will contain the -700 while others wont?

system · April 25, 2022, 3:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.