Not able to parse date in format "YYYY-mm-dd:HH:mm:ss" using grok pattern

anisen · February 10, 2017, 1:40pm

My Log file looks like this:

2015-06-12:00:08:55 195.160.1.191 POST /abc/xyz - 80 - 192.160.1.129 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;+MS+Search+6.0+Robot) - 401 0 0 37
2015-06-12:00:08:54 195.160.1.191 POST /abc/xyz - 80 - 192.168.1.159 Mozilla/4.0+(compatible;+MSIE+4.01;+Windows+NT;+MS+Search+6.0+Robot) - 401 1 2148075254 5

I am using the below grok:

grok {
match => {
"message" => '%{HTTPDATE:timestamp} %{IPORHOST:clientip} %{NOTSPACE:method} %{NOTSPACE:uri} %{NOTSPACE:csuriquery} %{NOTSPACE:port} %{NOTSPACE:username} %{NOTSPACE:serverip} %{DATA:agent} %{NOTSPACE:referrer} %{NOTSPACE:status} %{NOTSPACE:sub_status} %{NOTSPACE:winstatus} %{NOTSPACE:responsetime}'
}
}

date {
match => [ "timestamp", "YYYY-mm-dd:HH:mm:ss" ]
locale => en
}

But, it is not parsing the date properly with HTTPDATE. What grok pattern should I use?

magnusbaeck · February 12, 2017, 6:31pm

Yeah, HTTPDATE won't match your timestamp format. Try this instead of %{HTTPDATE:timestamp}:

(?<timestamp>%{YEAR}-%{MONTHNUM}-%{MONTHDAY}:%{TIME})

Secondly, the pattern in your date filter can't possibly work since you have two occurrences of "mm".

system · March 12, 2017, 6:31pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.