Datetime parsing errors when including locale de-AT

philippkahr · March 23, 2021, 12:21pm

Hi,

I am at a loss, we have to deal with german encodings of month such as Dezember instead of December, or März instead of March, which also impacts the MMM notation instead of Mar it is Mär. This is an example message:

23 Mär 2021 08:28:08,789 INFO additional log message

This is my custom grok pattern for the datetime JBOSSSERVERLOG %{MONTHDAY} %{MONTH} %{YEAR} %{TIME}

This is my logstash config:


input {
  file {
    path => "/Users/philipp/Downloads/logstash/log/demolog.log"
  }
}

filter {
    grok {
      patterns_dir => ["/Users/philipp/Downloads/logstash/pipeline/custompattern"]
      match => [
        "message","%{JBOSSSERVERLOG:timestamp} %{LOGLEVEL:log.level} %{GREEDYDATA:message}"
        ]
      add_field => ["received_at", "%{@timestamp}"]
    }
    if [timestamp] =~ /(?:Jan(?:uary)?|Feb(?:ruary)?|Mar(?:ch)?|Apr(?:il)?|May|June?|July?|Aug(?:ust)?|Sep(?:tember)?|Oct(?:ober)?|Nov(?:ember)?|Dec(?:ember)?)/ {
      date {
        tag_on_failure => ["english-datetime-error"]
        match => [
          "timestamp",
          "dd MMM yyyy HH:mm:ss,SSS",
          "MMM dd, yyyy h:mm:ss a",
          "MMM dd, yyyy hh:mm:ss a",
          "MMM dd, yyyy hh:mm:ss,SSS a",
		      "dd/MMM/yyyy:HH:mm:ss Z"
          ]
      }
    }else{
      date {
        locale => "de-AT"
        tag_on_failure => ["german-datetime-error"]
        match => [
          "timestamp",
          "dd MMM yyyy HH:mm:ss,SSS"
          ]
      }
    }
}

output {
    stdout{
      codec => json 
      }
}

However it always ends up in something like this

{
  "@timestamp": "2021-03-23T12:15:14.993Z",
  "host": "TAG-499.local",
  "log.level": "INFO",
  "path": "/Users/philipp/Downloads/logstash/log/demolog.log",
  "message": [
    "23 Mär 2021 08:28:08,789 INFO additional log message",
    "additional log message"
  ],
  "timestamp": "23 Mär 2021 08:28:08,789",
  "tags": ["german-datetime-error"],
  "@version": "1",
  "received_at": "2021-03-23T12:15:14.993Z"
}

Which makes no sense, since the date filter from logstash should match my own created timestamp field dd MMM yyyy HH:mm:ss,SSS.

I tried using de,de-AT,de-DE as locale but none of them worked. If I remove the tag on failure I get the default error with _dateparsefailure.

Here is a gist of running logstash with the --debug option. logstash datetime errors · GitHub

Any idea where I am going wrong?

system · April 20, 2021, 12:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Grok date filter problem with french timestamp Logstash	5	388	October 10, 2022
Mapping for 12h date format Elasticsearch	6	898	January 5, 2017
__dateparsefailure trying match date Logstash	2	422	October 14, 2017
Bug in grok pattern for german/austrian month Logstash	2	526	December 9, 2016
Match timestamps using different locales Logstash	4	466	March 30, 2018

Datetime parsing errors when including locale de-AT

Related topics