Grok date filter problem with french timestamp

marwen · September 11, 2022, 8:19pm

good day everyone, using elastic stack 17.7.5 I'm parsing log events to logstash
the problem is date filter not working with my logs (catalina) here is example:

avr. 23, 2022 1:46:19 PM org.apache.coyote.AbstractProtocol init
sept. 02, 2019 2:46:50 PM org.apache.coyote.AbstractProtocol init
déc. 05, 2019 12:08:58 PM org.apache.coyote.AbstractProtocol init

you can see month name is in french abbreviation and timestamp ends with AM/PM
here is date filter I used

date {
    match => [ "logdate", "MMM. dd, YYYY H:mm:ss a" ]
    timezone => "Europe/Paris"
    locale => "fr"
}

when I change locale to "en" and edit month name to English in log to debug, it works
but not with french month name, even if I used locale and timezone options.
any solution ? without asking client to change their logs output, and thanks

Badger · September 11, 2022, 11:15pm

In the fr locale MMM consumes the ., so use MMM dd, YYYY H:mm:ss a without the period. In fact dec. must have the trailing .. If it is missing you will get a _dateparsefailure.

Note that Elastic have no say in this. Java defines which locales require a trailing . on abbreviated month names.

marwen · September 11, 2022, 11:41pm

OMG thank you alot that is the problem, I was stuck there for days, you awesome

stephenb · September 12, 2022, 12:01am

@Badger Strikes again!
THX Today I learned!

leandrojmp · September 12, 2022, 12:13am

That's it, just repicated here for French and also tested for Portuguese, which also has . in the abbreviated month names and it works.

system · October 10, 2022, 12:13am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.