Weird "_dateparsefailure" issue

opellulo · September 16, 2020, 9:15am

Hi all,
I'm facing a really weird issue parsing the date from an access log that doesn't use standard ISO8601 format but one that looks like: [08/Sep/2020:18:39:23 +0200]

I captured the group with a simple grok in a field called "t_stamp" and then applied this date filter:

date {
    match => ["t_stamp", "dd/MMM/yyyy:hh:mm:ss Z"]
  }

Problem is that this works only in about 1/3 of the logs, the rest are indexed with a _dateparsefailure error:

Log correctly parsed

Log incorrectly parsed.

Since all the strings, option and fields seems the same I really cannot understand why this error. Any clue?

Badger · September 16, 2020, 3:00pm

hh is the clock hour of the half day (1 to 12). You should use HH.

opellulo · September 17, 2020, 6:44am

Oh, You're right, now everything works as expected.
I can't believe having fell for such a silly error.
Thanks

system · October 15, 2020, 6:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.