Template Date filter

tgdesrochers · March 5, 2018, 12:17pm

Elastic 6.2

Warning:

[2018-03-05T12:14:44,717][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"index-2018.02.13", :_type=>"doc", :_routing=>nil}, #<LogStash::Event:0x65ce2a9c>], :response=>{"index"=>{"_index"=>"index-2018.02.13", "_type"=>"doc", "_id"=>"MtQV9mEBFrxQ1xe84c5m", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [EventTime]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"2018-02-13 22:23:54.776966Z\" is malformed at \".776966Z\""}}}}}

Template:

          "EventTime": {
            "format": "yyyy-MM-dd HH:mm:ss||yyyy-MM-dd HH:mm:ss.SSS||yyyy-MM-dd HH:mm:ss.SSSSSSZ",
            "ignore_malformed": true,
            "type": "date"
          },

I would have thought this would parse the date/time in this field correctly. Is there a glaring reason this would be gailing that part of the template?

dadoonet · March 5, 2018, 3:41pm

I wonder if this is because for now elasticsearch does not support nansecond precision? See

And

tgdesrochers · March 5, 2018, 5:09pm

I don't think so. I have it working on another index with the same template. The non working one is from sysmon records and the working one is from raw event logs. but the fields EventTime and EventReceivedTime are printed by my shipper (NXlog) not by eventlog or sysmon.

system · April 2, 2018, 5:09pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.