4

I want to parse common apache access log files which is this:

::1 - - [02/Mar/2014:15:36:43 +0100] "GET /index.php HTTP/1.1" 200 3133

This is my filter section:

grok {
      match => ["message", "%{COMMONAPACHELOG}"]
}
date {
    match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
}

All fields are getting recognized, but not the timestamp. The output on the console is the following:

Failed parsing date from field {:field=>"timestamp", :value=>"02/Mar/2014:15:36:43 +0100", :exception=>java.lang.IllegalArgumentException: Invalid format: "02/Mar/2014:15:36:43 +0100" is malformed at "Mar/2014:15:36:43 +0100", :level=>:warn}

I already checked the docs for date filter. It relies on DateTimeFormat.

What have I done wrong? Can't see the mistake.

baudsp
  • 4,076
  • 1
  • 17
  • 35
tester
  • 3,977
  • 5
  • 39
  • 59
  • 1
    Works for me; I get 2014-03-02T14:36:43.000Z as the timestamp for this exact input and configuration. Is your default locale a non-English one so you need to [set the locale for the date filter](http://logstash.net/docs/1.4.2/filters/date#locale)? – Magnus Bäck Dec 04 '14 at 06:32
  • Thanks, works fine. If you want you can write this as answer so I can accept it. – tester Dec 04 '14 at 19:08

1 Answers1

7

The is malformed at "Mar/2014:15:36:43 +0100" part of the error message indicates that the timestamp parser has a problem with the month name. This suggests that the default locale is something other than English (specifically, a language where the third month isn't abbreviated "Mar"). This can be solved by explicitly setting the locale used for the date filter's parsing:

filter {
  date {
    ...
    locale => "en"
  }
}
Magnus Bäck
  • 11,381
  • 3
  • 47
  • 59