Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search

Metron Grok parser error on date field

Labels:
napoleon13e
New Contributor

Created ‎02-06-2018 10:45 PM

Hi,

I'm unable to get grok to parse the date in a apache log.

Here is the error I get:
Grok parser Error: For input string: "29/Jan/2018:06:02:41 -0600" on 66.123.45.67 - - [29/Jan/2018:06:02:41 -0600] "GET /f2c08g-bikec1089u.thm HTTP/1.1" 200 42887 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Here is my grok statement:
ACCESSLOG %{IPORHOST:ip_src_addr} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:agent}

And here is my parser config:
"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "dateFormat": "dd/MMM/yyyy:HH:mm:ss +-HHmm" }

The grok pattern has been verified in grok debugger and it's working fine. How can I get metron to parse that date format correctly?

1,862 Views
0 Kudos
4 REPLIES 4

napoleon13e
New Contributor

Created ‎02-07-2018 03:34 AM

I figure out that the property timeFields needs to be set in the parserConfig. Once I do that, I get a new error:

java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
at org.apache.metron.parsers.GrokParser.configure(GrokParser.java:62)
at org.apache.metron.rest.service.impl.SensorParserConfigServiceImpl.parseMessage(SensorParserConfigServiceImpl.java:167)

My config is:

"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": "[timestamp]", "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }.

Any ideas on what the problem could be?

1,396 Views
0 Kudos

StefanDunkler
Contributor

Created ‎07-27-2018 01:14 PM

@Napoleon Treizieme you need to set your timeFields field like this: ["datetime"] not like "[datetime]"

1,396 Views
0 Kudos

bvanhaute
New Contributor

Created ‎06-14-2018 12:07 PM

Hi, did you ever manage to fix this? We're having the same issue.

,

Did you manage to fix it? We're having the same issue.

1,396 Views
0 Kudos

rayarnav
New Contributor

Created ‎06-28-2018 04:28 AM

@Bob Van Haute

There is an error in the syntax.

The correct parser should have quoted timestamp not the brackets.

Here is the correct one.

"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": ["timestamp"], "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }.

1,396 Views
0 Kudos
Take a Tour of the Community
Don't have an account?
Register
Your experience may be limited. Sign in to explore more.
Announcements
Product Announcements
[ANNOUNCE] CDP Private Cloud Base 7.1.7 Service Pack 2 Released
Product Announcements
[ANNOUNCE] CDP Private Cloud Data Services 1.5.0 Released
Community Announcements
January 2023 Community Highlights
Product Announcements
[ANNOUNCE] New Cloudera JDBC Connector 2.6.30 for Impala is Released
What's New @ Cloudera
Cloudera Operational Database (COD) provides a CLI option to enable HBase region canaries
View More Announcements