Wrong values are populated into date field using Logstash

Ram18 · February 11, 2019, 1:27pm

Hello,
I could see the date field are populated wrongly into Elasticsearch. I am generating CSV file and inserting the data through logstash conf file. Below is the screenshot where I have highlighted the date columns which are wrongly inserted for ex: In CSV the vendor_start_dt, vendor_end_dt and event_tm columns are 01-feb-2019, but when I see the data through kibana, it shows as 01-Jan-2019. This is the case for all the values.

Below is the contents from conf file of logstash

input {
file {
path => "/data01/logstash/data/daily_final_report_201902110807.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
}
}
filter {
csv {
separator => ","
columns => [ "filename","fileformat","filesize","data_received_dt","vendor_start_dt","vendor_end_dt","bucketname","createdt","filetype","event_tm","processing_status" ]
}
}
output {
elasticsearch {
hosts => "addd.xxxx.local:9200"
index => "rr_log_gen"
document_type => "_doc"
workers => 1
}
stdout {}
}

So let me know what was the wrong in this case?

yaauie · February 12, 2019, 7:16am

What does your Elasticsearch mapping look like for those fields?

GET addd.xxxx.local:9200/rr_log_gen/_mapping/_doc

I've previously seen issues where a user configured a date field with the format including D (day of year) instead of d (day of month), causing similar effect.

Ram18 · February 12, 2019, 7:22am

Below is the mappings listed. I have issue in fields like vendor_start_dt, vendor_end_dt and event_tm

{
"rr_log_gen" : {
"mappings" : {
"_doc" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"@version" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"bucketname" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"createdt" : {
"type" : "date"
},
"data_received_dt" : {
"type" : "date"
},
"event_tm" : {
"type" : "date",
"format" : "yyyy-mm-dd HH:mm:ss"
},
"fileformat" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"filename" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"filesize" : {
"type" : "long"
},
"filetype" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"host" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"message" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"path" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"processing_status" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"tags" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"vendor_end_dt" : {
"type" : "date",
"format" : "yyyy-mm-dd HH:mm:ss"
},
"vendor_start_dt" : {
"type" : "date",
"format" : "yyyy-mm-dd HH:mm:ss"
},
"vendorname" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}

yaauie · February 12, 2019, 7:39am

What do those columns look like in your CSV?

Ram18 · February 12, 2019, 7:59am

I have attached the screenshot in my initial topic itself. I am using shell script to generate the date column with the format +%Y-%m-%d %T and if we viewin csv file, it shows the data as m/d/yyyy hh:mi:ss format.

yaauie · February 12, 2019, 6:53pm

The dates in your screenshot are not of the format you say you have specified. Sometimes visual editors like Excel can present data in a different way than the raw bytes. Please paste the raw bytes from your CSV (perhaps open it with Notepad or some other basic editor that doesn't manipulate presentation).

Ram18 · February 12, 2019, 7:02pm

The csv file has YYYY-MM-DD HH:MI:SS format
[ 2018-08-01 00:00:00 ]

Badger · February 12, 2019, 7:06pm

Really? Your mapping has lower case mm for both month and minute?

Ram18 · February 12, 2019, 7:08pm

yes!!

Badger · February 12, 2019, 7:14pm

That seems odd. Unfortunately I do not have an elasticsearch node I can test with. I really should get one built out.

Ram18 · February 12, 2019, 7:16pm

I have a doubt, Can we exclude the HH:MI:SS alone from the field and populate into new field with mappings as date

system · March 12, 2019, 7:16pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Import csv file to ES but date isn't correct Logstash	2	306	March 16, 2019
Data transformation for date field Elasticsearch	6	1042	October 18, 2018
CSV/Time Bug Logstash	3	276	December 4, 2019
Issue with date field in CSV plugin Logstash	8	394	April 21, 2021
CSV parsed data showing different date than received Elasticsearch	5	557	November 23, 2018

Wrong values are populated into date field using Logstash

Related topics