napoleon13e
New Contributor

Unable to parse the datetime in Metron using Grok ...

by New Contributor in Support Questions
‎02-16-2018 10:10 PM
‎02-16-2018 10:10 PM
I get the following error when trying to parse a date field from my log. Here is a sample log: 10.10.10.10 - - [29/Jan/2018:06:02:41 -0600] "GET /f2c08g-bikec1089u5ba.html HTTP/1.1" 200 42887 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" My config is: "parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": "[timestamp]", "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }. My Grok statement is: %{IPORHOST:ip_src_addr} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:agent} The error I get: java.lang.ClassCastException: java.lang.String cannot be cast to java.util.Listat org.apache.metron.parsers.GrokParser.configure(GrokParser.java:62)at org.apache.metron.rest.service.impl.SensorParserConfigServiceImpl.parseMessage(SensorParserConfigServiceImpl.java:167) I've tried different dates format, and I'm still having the same issue. Any ideas on what the problem could be? ... View more
Labels:

Re: Metron Grok parser error on date field

by New Contributor in Support Questions
‎02-07-2018 03:34 AM
‎02-07-2018 03:34 AM
I figure out that the property timeFields needs to be set in the parserConfig. Once I do that, I get a new error: java.lang.ClassCastException: java.lang.String cannot be cast to java.util.List at org.apache.metron.parsers.GrokParser.configure(GrokParser.java:62) at org.apache.metron.rest.service.impl.SensorParserConfigServiceImpl.parseMessage(SensorParserConfigServiceImpl.java:167) My config is: "parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "timeFields": "[timestamp]", "dateFormat": "dd/MMM/yyyy:HH:mm:ss Z" }. Any ideas on what the problem could be? ... View more

Metron Grok parser error on date field

by New Contributor in Support Questions
‎02-06-2018 10:45 PM
‎02-06-2018 10:45 PM
Hi, I'm unable to get grok to parse the date in a apache log. Here is the error I get: Grok parser Error: For input string: "29/Jan/2018:06:02:41 -0600" on 66.123.45.67 - - [29/Jan/2018:06:02:41 -0600] "GET /f2c08g-bikec1089u.thm HTTP/1.1" 200 42887 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" Here is my grok statement: ACCESSLOG %{IPORHOST:ip_src_addr} %{USER:ident} %{USER:auth} \[%{HTTPDATE:timestamp}\] "(?:%{WORD:verb} %{NOTSPACE:request}(?: HTTP/%{NUMBER:httpversion})?|%{DATA:rawrequest})" %{NUMBER:response} (?:%{NUMBER:bytes}|-) %{QUOTEDSTRING:referrer} %{QUOTEDSTRING:agent} And here is my parser config: "parserConfig": { "grokPath": "/apps/metron/patterns/accesslog", "patternLabel": "ACCESSLOG", "timestampField": "timestamp", "dateFormat": "dd/MMM/yyyy:HH:mm:ss +-HHmm" } The grok pattern has been verified in grok debugger and it's working fine. How can I get metron to parse that date format correctly? ... View more
Labels:
Contact Me
Online
Offline
Last Visited
‎02-16-2018 10:40 PM
Public Statistics
Date Registered ‎02-06-2018 07:21 AM
Last Visited ‎02-16-2018 10:40 PM
Total Messages Posted 3