I want to parse common apache access log files which is this:
::1 - - [02/Mar/2014:15:36:43 +0100] "GET /index.php HTTP/1.1" 200 3133
This is my filter section:
grok {
match => ["message", "%{COMMONAPACHELOG}"]
}
date {
match => ["timestamp", "dd/MMM/yyyy:HH:mm:ss Z"]
}
All fields are getting recognized, but not the timestamp. The output on the console is the following:
Failed parsing date from field {:field=>"timestamp", :value=>"02/Mar/2014:15:36:43 +0100", :exception=>java.lang.IllegalArgumentException: Invalid format: "02/Mar/2014:15:36:43 +0100" is malformed at "Mar/2014:15:36:43 +0100", :level=>:warn}
I already checked the docs for date filter. It relies on DateTimeFormat.
What have I done wrong? Can't see the mistake.
The is malformed at "Mar/2014:15:36:43 +0100" part of the error message indicates that the timestamp parser has a problem with the month name. This suggests that the default locale is something other than English (specifically, a language where the third month isn't abbreviated "Mar"). This can be solved by explicitly setting the locale used for the date filter's parsing:
filter {
date {
...
locale => "en"
}
}