Support Questions
Find answers, ask questions, and share your expertise

Metron Grok parser error on date field

New Contributor

Hi,

I'm unable to get grok to parse the date in a apache log.

Here is the error I get:
Grok parser Error: For input string: "29/Jan/2018:06:02:41 -0600" on 66.123.45.67 - - [29/Jan/2018:06:02:41 -0600] "GET /f2c08g-bikec1089u.thm HTTP/1.1" 200 42887 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

Here is my grok statement:
ACCESSLOG %{IPORHOST:ip_src_addr} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:agent}

And here is my parser config:
"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "dateFormat": "dd/MMM/yyyy:HH:mm:ss +-HHmm" }

The grok pattern has been verified in grok debugger and it's working fine. How can I get metron to parse that date format correctly?

4 REPLIES 4

Re: Metron Grok parser error on date field

New Contributor

I figure out that the property timeFields needs to be set in the parserConfig. Once I do that, I get a new error:

java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List
at org.apache.metron.parsers.GrokParser.configure(GrokParser.java:62)
at org.apache.metron.rest.service.impl.SensorParserConfigServiceImpl.parseMessage(SensorParserConfigServiceImpl.java:167)

My config is:

"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": "[timestamp]", "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }.

Any ideas on what the problem could be?

Re: Metron Grok parser error on date field

Contributor

@Napoleon Treizieme you need to set your timeFields field like this: ["datetime"] not like "[datetime]"

Re: Metron Grok parser error on date field

New Contributor

Hi, did you ever manage to fix this? We're having the same issue.

,

Did you manage to fix it? We're having the same issue.

Re: Metron Grok parser error on date field

New Contributor

@Bob Van Haute

There is an error in the syntax.

The correct parser should have quoted timestamp not the brackets.

Here is the correct one.

"parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": ["timestamp"], "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }.