Timestamp month name date matching

Elastic Stack Logstash
1

Hi everyone,
i have a problem with the timestamp month's name matching.
I have "29/Apr/2015" in the log file, if i set date locale = en, it works fine.
If i set date locale = it, it doesn't match more.

I can't find the problem! Is this related to my PC language settings?

Thanks!

2

Apparently, with Italian locale settings the abbreviated name of the month of April isn't "Apr" (perhaps it's "apr"—I believe the matching is case-sensitive), so the matching fails. Unless your logs actually contain Italian month names just set the locale parameter to English. With no explicit locale parameter set for the date filter it'll use the system default locale.

3

Thanks magnusbaeck,
after a long sequence of little tests I have found out exactly the problem!

With the locale option setted on "it", Logstash works in case sensitive mode and don't recognize "Apr", instead "apr", yes!
If the locale is setted on "en", Logstash is not case sensitive! and works in every case!

It's seems to be a bug, because with the previous version of Logstash, the 1.4.2, i did not have problem (with the same data source), but now i'm working with Logstash 1.5.2.

One more thing, in the official documentation, the example works with the month's name letter in upper-case of timestamp data source.

4

Hi Guys,
I have some issue with passing these time stamps from my log files through the Date filter.
13 AUG 2015 | 05:08:57 |

i wrote a grok filter that generates the field "logTimeStamp" as follows:

mutate{
             add_field => { "logTimeStamp" => "%{day} %{month} %{year} %{time}" }
	}

And later a Date filter as follows:

    date{
	 match =>["logTimeStamp","dd MMM YYYY HH:mm:ss" ]
	}

Yet the Date filter keeps failing an generating error msgs.
im suspecting its the fact that month are in uppercase letters... could that be it?

Thanks for the support
Eitan

5

Let's continue the discussion in the new topic that you started.