elasticsearch.exceptions.RequestError: RequestError(400, 'mapper_parsing_exception', "failed to parse field [match_time] of type [date]

[SadCasual]

hi,@jertel
I can't writing alert info to Elasticsearch,error:
ERROR:elastalert:Error writing alert info to Elasticsearch: RequestError(400, 'mapper_parsing_exception', "failed to parse field [match_time] of type [date] in document with id 'm1SBrogBtnTvAA3RT-Yj'. Preview of field's value: '2023-06-12 15:24 CST'") elasticsearch.exceptions.RequestError: RequestError(400, 'mapper_parsing_exception', "failed to parse field [match_time] of type [date] in document with id 'm1SBrogBtnTvAA3RT-Yj'. Preview of field's value: '2023-06-12 15:24 CST'")

index elastalert_status mappings:

please help me!thinks!!!

[SadCasual]

my config,yaml:

rules_folder: /opt/elastalert2/elastalert2-2.11.0/examples/rules
run_every:
  seconds: 30
buffer_time:
  minutes: 15
es_host: 
es_port: 9200
use_ssl: True
verify_certs: True
ca_certs: /etc/kibana/certs/ca/ca.crt
ssl_show_warn: False
es_username: 
es_password:
writeback_index: elastalert_status
alert_time_limit:
  days: 2
custom_pretty_ts_format: '%Y-%m-%d %H:%M'
use_local_time: true

[jertel]

What field are you using in your source index, for storing the document timestamp? And what do those values look like? Is it type mapped to a date type?

[SadCasual]

sorry! I don't know "source index" what means...Please let me know in detail，thanks!

[SadCasual]

alerts-test result:

Would have written the following documents to writeback index (default is elastalert_status):

silence - {'exponent': 0, 'rule_name': '', '@timestamp': datetime.datetime(2023, 6, 13, 2, 33, 47, 867672, tzinfo=tzutc()), 'until': datetime.datetime(2023, 6, 13, 2, 34, 47, 867649, tzinfo=tzutc())}

elastalert - {'match_body': {}, 'rule_name': '', 'alert_info': {'type': 'email', 'recipients': ['']}, 'alert_sent': True, 'alert_time': datetime.datetime(2023, 6, 13, 2, 33, 47, 868304, tzinfo=tzutc()), 'match_time': '2023-06-13 10:32 CST'}

elastalert_status - {'rule_name': '', 'endtime': datetime.datetime(2023, 6, 13, 2, 33, 47, 637788, tzinfo=tzutc()), 'starttime': datetime.datetime(2023, 6, 13, 2, 31, 46, 437788, tzinfo=tzutc()), 'matches': 6, 'hits': 6, '@timestamp': datetime.datetime(2023, 6, 13, 2, 33, 47, 879204, tzinfo=tzutc()), 'time_taken': 0.035807132720947266}

it looks Okay？？

[jertel]

No, it doesn't. Your match_time value is a string, not a date object. I asked about the source index because I'm trying to understand what the data looks like that your rule is querying. Based on what you've shown the problem appears to be that your rule is using a timestamp_field that is not an actual timestamp value (instead it appears to be a date string using an uncommon date/time format).