Support Questions
Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.

Metron Grok parser error on date field

Highlighted

Metron Grok parser error on date field

Labels:
napoleon13e
New Contributor

Created ‎02-06-2018 10:45 PM

Hi,

I'm unable to get grok to parse the date in a apache log.

Here is the error I get:
Grok parser Error: For input string: "29/Jan/2018:06:02:41 -0600" on 66.123.45.67 - - [29/Jan/2018:06:02:41 -0600] "GET /f2c08g-bikec1089u.thm HTTP/1.1" 200 42887 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Here is my grok statement:
ACCESSLOG %{IPORHOST:ip_src_addr} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:agent}

And here is my parser config:
"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "dateFormat": "dd/MMM/yyyy:HH:mm:ss +-HHmm" }

The grok pattern has been verified in grok debugger and it's working fine. How can I get metron to parse that date format correctly?

Reply
537 Views
0 Kudos
4 REPLIES 4

Re: Metron Grok parser error on date field

napoleon13e
New Contributor

Created ‎02-07-2018 03:34 AM

I figure out that the property timeFields needs to be set in the parserConfig. Once I do that, I get a new error:

java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
at org.apache.metron.parsers.GrokParser.configure(GrokParser.java:62)
at org.apache.metron.rest.service.impl.SensorParserConfigServiceImpl.parseMessage(SensorParserConfigServiceImpl.java:167)

My config is:

"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": "[timestamp]", "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }.

Any ideas on what the problem could be?

Reply
71 Views
0 Kudos

Re: Metron Grok parser error on date field

StefanDunkler
Contributor

Created ‎07-27-2018 01:14 PM

@Napoleon Treizieme you need to set your timeFields field like this: ["datetime"] not like "[datetime]"

Reply
71 Views
0 Kudos

Re: Metron Grok parser error on date field

bvanhaute
New Contributor

Created ‎06-14-2018 12:07 PM

Hi, did you ever manage to fix this? We're having the same issue.

,

Did you manage to fix it? We're having the same issue.

Reply
71 Views
0 Kudos

Re: Metron Grok parser error on date field

rayarnav
New Contributor

Created ‎06-28-2018 04:28 AM

@Bob Van Haute

There is an error in the syntax.

The correct parser should have quoted timestamp not the brackets.

Here is the correct one.

"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": ["timestamp"], "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }.

Reply
71 Views
0 Kudos
Don't have an account?
Register
Coming from Hortonworks? Activate your account here