Flexible data converter error

Hello dear ones

I’m trying to analyze some Wireshark output transmitted to Graylog using an Raw/Plaintext TCP input.
everything works fine except the date conversion.

The date of captured frame has the following format:
Apr 10, 2019 15:15:59.457551000

So I have configured the following format string for the date converter
MMM dd, yyyy HH:mm:ss.SSSSSSSSS

But when I send a test message via /dev/tcp I don’t see any received messages for that input and I get the following error on the server.log

2019-04-11T14:48:24.744+02:00 ERROR [Extractor] Could not apply converter [DATE] of extractor [acb9b250-5c54-11e9-b18f-080027dc2e23].
java.lang.IllegalArgumentException: Invalid format: “Apr 10, 2019 15:15:59.457551000”

The indexer failures page of the web interface reports the same error

{“type”:“mapper_parsing_exception”,“reason”:“failed to parse field [time] of type [date] in document with id ‘24af2900-5c57-11e9-b18f-080027dc2e23’”,“caused_by”:{“type”:“illegal_argument_exception”,“reason”:“Invalid format: "Apr 10, 2019 15:15:59.457551000"”}}

Could anyone tell me what is wrong?
Thanks a lot

Have a good day

Elasticsearch can’t handle the format. This is why you get index error message.
Check the mapping on your index.
I’m not sure you can set the correct format in elastic, and graylog will handle it also right. So I suggest first play with a new field.
And as far as I remember, there were some similar topic in the community.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.