Clark Ritchie
Reputation: 285
ElasticSearch ingest pipeline with Grok pattern DATESTAMP_RFC2822
When simulating an ElasticSearch ingest pipeline to process timestamps in the form Thu, 19 Sep 2019 20:28:58 GMT, Grok fails using the DATESTAMP_RFC2822 pattern.
Any suggestions as to what am I missing here?
Example:
POST _ingest/pipeline/_simulate
{
"pipeline" :
{
"description": "testing...",
"processors" : [
{
"grok" : {
"field" : "message",
"patterns" : [
"%{DATESTAMP_RFC2822:initial_date}"
],
"on_failure" : [
{
"set" : {
"field" : "error",
"value" : "{{ _ingest.on_failure_message }}"
}
},
{
"set" : {
"field" : "grok_error",
"value" : true
}
}
]
}
}
]
},
"docs": [
{
"_index": "index",
"_id": "1",
"_source": {
"message": "Thu 19 Sep 2019 20:28:58 GMT"
}
}
]
}
...results in:
"Provided Grok expressions do not match field value: [Thu 19 Sep 2019 20:28:58 GMT]",
Upvotes: 0
Views: 771
Answers (1)
jaspreet chahal
Reputation: 9099
Date filter cannot parse time zone names. You can use %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{WORD}
WORD will match any word(not necessarily a time zone). If you are using any particular time zone you can replace WORD with that time zone.
Upvotes: 0
Related Questions
- ElasticSearch Ingest Pipeline: create and update timestamp field
- How come my ElasticSearch ingest pipelines with multiple grok patterns are all failing?
- Why doesn't Elasticsearch Ingest accept a grok pattern that Logstash does?
- ElasticSearch - not setting the date type
- Logstash date format grok pattern
- Logstash Grok Parsing Issue
- datetime parse in ELK
- Logstash date invalid format
- Parsing date using Logstash
- Logstash Date Filter