Timestamp format fails when there's a space in my timestamp field

Elastic Stack Elasticsearch
1

Hey,
I've been poking around with the Kibana dev tools and created an index called orglogs and a type called log
Here it is:
> POST orglogs/log

{
    "properties": {
      "_timestamp": {
        "type": "object"
      },
      "message": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "text": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      },
      "timestamp": {
        "type": "date",
        "format": "yyyy-MM-dd HH:mm:ss.SSS||yyyy-MM-dd HH:mm:ss||yyyy-MM-dd HH:mm:ss.S||yyyy-MM-dd HH:mm:ss.SS||yyyy-MM-dd HH:mm:ss"
      },
      "type": {
        "type": "text",
        "fields": {
          "keyword": {
            "type": "keyword",
            "ignore_above": 256
          }
        }
      }
    }
}

Afterwards, I tried sending a POST request:

POST orglogs/log
{"type":"log","timestamp":"2018-05-13 14:42:46.320","message":"FOVs set to V=39.1, H=50.8"}

Then, I get a parsing problem:
> {

  "error": {
    "root_cause": [
      {
        "type": "mapper_parsing_exception",
        "reason": "failed to parse [timestamp]"
      }
    ],
    "type": "mapper_parsing_exception",
    "reason": "failed to parse [timestamp]",
    "caused_by": {
      "type": "illegal_argument_exception",
      "reason": "Invalid format: \"2018-05-13 14:42:46.320\" is malformed at \" 14:42:46.320\""
    }
  },
  "status": 400
}

I don't understand why this happens.
When I tried changing the format to yyyy-MM-dd'T'HH:mm:ss.SSS and adding that T in the timestamp field, it worked. But there must be a way to do it without compromising readability.
Any help?

Thanks,
Oren

2

Oren

I put the mapping in:

PUT orglogs
{
  "mappings": {
    "log": {
      "properties": {
        "_timestamp": {
          "type": "object"
        },
        "message": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "text": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        },
        "timestamp": {
          "type": "date",
          "format": "yyyy-MM-dd HH:mm:ss.SSS||yyyy-MM-dd HH:mm:ss||yyyy-MM-dd HH:mm:ss.S||yyyy-MM-dd HH:mm:ss.SS||yyyy-MM-dd HH:mm:ss"
        },
        "type": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }
      }
    }
  }
}

I then put in my data:

POST orglogs/log
{
  "type":"log",
  "timestamp":"2018-05-13 14:42:46.320",
  "message":"FOVs set to V=39.1, H=50.8"
}

And then searched:

GET orglogs/log/_search
{
  "query": {
    "match_all": {}
  }
}

Search results:

{
  "took": 45,
  "timed_out": false,
  "_shards": {
    "total": 5,
    "successful": 5,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": 1,
    "max_score": 1,
    "hits": [
      {
        "_index": "orglogs",
        "_type": "log",
        "_id": "rb8ON2QBkZR8mfXFMQSD",
        "_score": 1,
        "_source": {
          "type": "log",
          "timestamp": "2018-05-13 14:42:46.320",
          "message": "FOVs set to V=39.1, H=50.8"
        }
      }
    ]
  }
}

I did my mapping as a put is the only difference I think.

1 Like
3

Thank you so much! I have no idea why the minor change worked, but it did all the same.
Much appreciated!

Thanks,
Oren

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.