Template Date filter

tgdesrochers · March 5, 2018, 12:17pm

Elastic 6.2

Warning:

[2018-03-05T12:14:44,717][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"index-2018.02.13", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x65ce2a9c>], :response=>{"index"=>{"_index"=>"index-2018.02.13", "_type"=>"doc", "_id"=>"MtQV9mEBFrxQ1xe84c5m", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [EventTime]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2018-02-13 22:23:54.776966Z\" is malformed at \".776966Z\""}}}}}

Template:

          "EventTime": {
            "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd HH:mm:ss.SSS||yyyy-MM-dd HH:mm:ss.SSSSSSZ",
            "ignore_malformed": true,
            "type": "date"
          },

I would have thought this would parse the date/time in this field correctly. Is there a glaring reason this would be gailing that part of the template?

dadoonet · March 5, 2018, 3:41pm

I wonder if this is because for now elasticsearch does not support nansecond precision? See

And

tgdesrochers · March 5, 2018, 5:09pm

I don't think so. I have it working on another index with the same template. The non working one is from sysmon records and the working one is from raw event logs. but the fields EventTime and EventReceivedTime are printed by my shipper (NXlog) not by eventlog or sysmon.

system · April 2, 2018, 5:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Date mapping issue Logstash	17	3380	January 19, 2018
Help needed for field to template date mapping Logstash	2	318	December 21, 2019
Issue with date format Logstash	8	1277	December 25, 2019
Date format rejected, no apparent reason why Logstash	2	390	April 19, 2018
Formatting date format in ES index template Elasticsearch	1	605	April 22, 2020

Template Date filter

Related topics