Invalid timestamp format, but the date is formed correctly

[Mojster]

I'm posting here, because I've already posted this on Elastic forum and an Elastic Team member tested this and his assuming to be a bug. He found out that if he leaves the timezone out, then it's working.

Link to Elastic Forum topic: Elastic forum topic

I've proceed with this 352327606 records. 352327595 were ok, but 11 thrown an error:

[2017-12-02T21:38:52,855][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x61d3361>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"IIfzGGABRrLTAyiQ8Z6L", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:42:00\" is malformed at \".03.2009;02:42:00\""}}}}}
[2017-12-02T21:38:52,920][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x5ae31e28>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"IYfzGGABRrLTAyiQ8Z6L", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:42:01\" is malformed at \".03.2009;02:42:01\""}}}}}
[2017-12-02T21:38:52,935][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x657bbaba>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"IofzGGABRrLTAyiQ8Z6L", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:42:02\" is malformed at \".03.2009;02:42:02\""}}}}}
[2017-12-02T22:50:12,228][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x449a80fc>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"qeI1GWABRrLTAyiQTRT-", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:09:00\" is malformed at \".03.2009;02:09:00\""}}}}}
[2017-12-03T03:26:53,775][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x1b1b2b88>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"bCEyGmABRrLTAyiQln2z", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:12:00\" is malformed at \".03.2009;02:12:00\""}}}}}
[2017-12-03T07:35:51,399][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x43a31561>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"8jYWG2ABRrLTAyiQhP4I", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:08:00\" is malformed at \".03.2009;02:08:00\""}}}}}
[2017-12-03T08:30:55,304][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x5b75f6a>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"DYpIG2ABRrLTAyiQ9m2h", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:03:00\" is malformed at \".03.2009;02:03:00\""}}}}}
[2017-12-03T08:30:55,304][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x234fc3e0>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"DopIG2ABRrLTAyiQ9m2h", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:06:00\" is malformed at \".03.2009;02:06:00\""}}}}}
[2017-12-03T08:30:55,305][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x7f1a60b9>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"D4pIG2ABRrLTAyiQ9m2h", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:07:00\" is malformed at \".03.2009;02:07:00\""}}}}}
[2017-12-03T09:36:50,047][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x3adde0ad>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"dvaFG2ABRrLTAyiQT_kK", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"31.03.2013;02:06:00\" is malformed at \".03.2013;02:06:00\""}}}}}
[2017-12-03T15:03:57,910][WARN ][logstash.outputs.elasticsearch] Could not index event to Elasticsearch. {:status=>400, :action=>["index", {:_id=>nil, :_index=>"transakcije", :_type=>"log_transakcije", :_routing=>nil}, #<LogStash::Event:0x6c159c4e>], :response=>{"index"=>{"_index"=>"transakcije", "_type"=>"log_transakcije", "_id"=>"LcywHGABRrLTAyiQzki8", "status"=>400, "error"=>{"type"=>"mapper_parsing_exception", "reason"=>"failed to parse [date]", "caused_by"=>{"type"=>"illegal_argument_exception", "reason"=>"Invalid format: \"29.03.2009;02:02:00\" is malformed at \".03.2009;02:02:00\""}}}}}

So only this two dates are causing this error message.

• Version: 6.0.0
• Operating System: Windows Server 2012R2
• Config File (if you have sensitive info, please remove it):

  
  # The # character at the beginning of a line indicates a comment. Use
  # comments to describe your configuration.
  input {
  beats {
      port => "5044"
  }
  }
  # The filter part of this file is commented out to indicate that it is
  # optional.
  filter {
  mutate {
      gsub => ["message", "\|C3\|", "|cir=C3|"]
  }

kv {

field_split => "|"

include_brackets => false

}

ruby {
    code => "
        a = event.get('message').split('|').delete_if{|x| !x.match(/=/)}
        a.each {|y| b = y.split('=', 2)
            event.set(b[0].strip, b[1])
        }
        event.set('acronym', event.get('acronym').upcase)"
}
mutate {
    gsub => ["date", " ", ";"]
    convert => {"type" => "integer"}
    convert => {"rptPackageStatus" => "integer"}
    add_field => {"country" => "si"}
}
date {
    locale => "en"
    match => ["date", "dd.MM.YYYY;HH:mm:ss"]
    timezone => "Europe/Ljubljana"
    target => "date"
}
date {
    locale => "en"
    match => ["returnDate", "dd.MM.YYYY"]
    timezone => "Europe/Ljubljana"
    target => "returnDate"
}
date {
    locale => "en"
    match => ["firstsignUpDate", "dd.MM.YYYY"]
    timezone => "Europe/Ljubljana"
    target => "firstsignUpDate"
}
date {
    locale => "en"
    match => ["lastVisitDate", "dd.MM.YYYY"]
    timezone => "Europe/Ljubljana"
    target => "lastVisitDate"
}
date {
    locale => "en"
    match => ["loanDate", "dd.MM.YYYY"]
    timezone => "Europe/Ljubljana"
    target => "loanDate"
}
date {
    locale => "en"
    match => ["lastProlongDate", "dd.MM.YYYY"]
    timezone => "Europe/Ljubljana"
    target => "lastProlongDate"
}
date {
    locale => "en"
    match => ["reservationDate", "dd.MM.YYYY"]
    timezone => "Europe/Ljubljana"
    target => "reservationDate"
}

} output { elasticsearch { hosts => [ "localhost:9200" ] index => "transakcije" document_type => "log_transakcije" }

stdout { codec => rubydebug }

}

- Sample Data:

|cir=C2|date=29.03.2009 02:42:01|acronym=CEKLJ|libraryCode=50005|user=EZPROXY|type=57|transactionHostDepartment=01|membIdentificNumb=0051022|patronId=0051022|patronCategory=020|lastVisitDate=28.03.2009|schoolName=19|schoolDept=1|libraryDept=00|firstsignUpDate=09.11.2004

[Mojster]

It's a DST problem. This time does not exist.

Please fix the error message, because the message is just confusing and it does not give any hint how to solve this.

[jsvd]

This error is a result from an index operation in elasticsearch, so the error message comes from elasticsearch itself, we just show that in the elasticsearch output plugin, it's unrelated to the date filter.