Why it tell me that [0] "_dateparsefailure" when i change the @timestamp

{
"timestamp" => "2018-04-09 15:33:45.294",
"@version" => "1",
"@timestamp" => 2018-04-09T08:19:32.987Z,
"tags" => [
[0] "_dateparsefailure"
],
"message" => "[2018-04-09 15:33:45.294]\r",
"host" => "BIH-D-6331"
}

input {
stdin { }
}
filter {
grok{
match => [
"message","[%{TIMESTAMP_ISO8601:timestamp}]"
]
}
date {
match => [ "timestamp", "yyyy-MM-dd HH:mm:ss,SSS Z" ]
target => "@timestamp"
}
}
output {

	  elasticsearch { 
					hosts => localhost	  	
					index => "logstash(%{+yyyy.MM.dd})"  
					document_type =>"logstash"
					}   
					stdout {  
        codec => rubydebug
      }

}

Question moved to #logstash

Please format your code, logs or configuration files using </> icon as explained in this guide and not the citation button. It will make your post more readable.

Or use markdown style like:

```
CODE
```

There's a live preview panel for exactly this reasons.

Lots of people read these forums, and many of them will simply skip over a post that is difficult to read, because it's just too large an investment of their time to try and follow a wall of badly formatted text.
If your goal is to get an answer to your questions, it's in your interest to make it as easy to read and understand as possible.
Please update your post.

Here it depends on your source document but most likely either \r is missing in the grok pattern or 2018-04-09 15:33:45.294 is not a TIMESTAMP_ISO8601 format (missing the T character I think).

ok i find my problem
i should write
date {
match => [ "timestamp", "ISO8601" ]
target => "@timestamp"
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.