Announcements
Alert: Welcome to the Unified Cloudera Community. Former HCC members be sure to read and learn how to activate your account here.
napoleon13e
napoleon13e
New Contributor

Unable to parse the datetime in Metron using Grok ...

by New Contributor napoleon13e in Support Questions
‎02-16-2018 10:10 PM
‎02-16-2018 10:10 PM
I get the following error when trying to parse a date field from my log. Here is a sample log: 10.10.10.10 - - [29/Jan/2018:06:02:41 -0600] "GET /f2c08g-bikec1089u5ba.html HTTP/1.1" 200 42887 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" My config is: "parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": "[timestamp]", "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }. My Grok statement is: %{IPORHOST:ip_src_addr} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:agent} The error I get: java.lang.ClassCastException: java.lang.String cannot be cast to java.util.Listat org.apache.metron.parsers.GrokParser.configure(GrokParser.java:62)at org.apache.metron.rest.service.impl.SensorParserConfigServiceImpl.parseMessage(SensorParserConfigServiceImpl.java:167) I've tried different dates format, and I'm still having the same issue. Any ideas on what the problem could be? ... View more
Labels:

Re: Metron Grok parser error on date field

by New Contributor napoleon13e in Support Questions
‎02-07-2018 03:34 AM
‎02-07-2018 03:34 AM
I figure out that the property timeFields needs to be set in the parserConfig. Once I do that, I get a new error: java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List at org.apache.metron.parsers.GrokParser.configure(GrokParser.java:62) at org.apache.metron.rest.service.impl.SensorParserConfigServiceImpl.parseMessage(SensorParserConfigServiceImpl.java:167) My config is: "parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": "[timestamp]", "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }. Any ideas on what the problem could be? ... View more

Metron Grok parser error on date field

by New Contributor napoleon13e in Support Questions
‎02-06-2018 10:45 PM
‎02-06-2018 10:45 PM
Hi, I'm unable to get grok to parse the date in a apache log. Here is the error I get: Grok parser Error: For input string: "29/Jan/2018:06:02:41 -0600" on 66.123.45.67 - - [29/Jan/2018:06:02:41 -0600] "GET /f2c08g-bikec1089u.thm HTTP/1.1" 200 42887 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" Here is my grok statement: ACCESSLOG %{IPORHOST:ip_src_addr} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:agent} And here is my parser config: "parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "dateFormat": "dd/MMM/yyyy:HH:mm:ss +-HHmm" } The grok pattern has been verified in grok debugger and it's working fine. How can I get metron to parse that date format correctly? ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎02-16-2018 10:40 PM
Public Statistics
Date Registered ‎02-06-2018 07:21 AM
Last Visited ‎02-16-2018 10:40 PM
Total Messages Posted 3