Grok date filter problem with french timestamp

Elastic Stack Logstash
1

good day everyone, using elastic stack 17.7.5 I'm parsing log events to logstash
the problem is date filter not working with my logs (catalina) here is example:

avr. 23, 2022 1:46:19 PM org.apache.coyote.AbstractProtocol init
sept. 02, 2019 2:46:50 PM org.apache.coyote.AbstractProtocol init
déc. 05, 2019 12:08:58 PM org.apache.coyote.AbstractProtocol init

you can see month name is in french abbreviation and timestamp ends with AM/PM
here is date filter I used

date {
    match => [ "logdate", "MMM. dd, YYYY H:mm:ss a" ]
    timezone => "Europe/Paris"
    locale => "fr"
}

when I change locale to "en" and edit month name to English in log to debug, it works
but not with french month name, even if I used locale and timezone options.
any solution ? without asking client to change their logs output, and thanks :heart:

2

In the fr locale MMM consumes the ., so use MMM dd, YYYY H:mm:ss a without the period. In fact dec. must have the trailing .. If it is missing you will get a _dateparsefailure.

Note that Elastic have no say in this. Java defines which locales require a trailing . on abbreviated month names.

2 Likes
3

OMG thank you alot that is the problem, I was stuck there for days, you awesome :heart:

4

@Badger Strikes again!
THX Today I learned!

5

That's it, just repicated here for French and also tested for Portuguese, which also has . in the abbreviated month names and it works.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.