Date parsing "MMM dd, yyyy h:mm:ss a"

I’m trying to parse this date in a pipeline:

rule "Replace_Message_Timestamp_with_WEBLOGIC_TIMESTAMP"
// Incoming format: "Jul 15, 2019 12:18:38 AM"
when
    has_field("WEBLOGIC_TIMESTAMP")
then
    let new_date = parse_date(to_string($message.WEBLOGIC_TIMESTAMP), "MMM dd, yyyy h:mm:ss a", "BE", "Europe/Brussels");
    let formatted_date = format_date(new_date,"yyyy-MM-dd HH:mm:ss.SSS");
    set_field("graylog_timestamp", $message.timestamp);
   set_field("timestamp", formatted_date);
end

For other formats this approach is working fine but not for this particular format.
I checked with http://www.sdfonlinetester.info/# and although the format should be fine I get this message:

gl2_processing_error
For rule 'Replace_Message_Timestamp_with_WEBLOGIC_TIMESTAMP': In call to function 'parse_date' at 6:19 an exception was thrown: Invalid format: "Jul 15, 2019 12:18:38 AM"

I’m not sure how to continue parsing this date?
Thanks for any insight!

Hi Cukal,
just try this

rule "WEBLOGIC_TIMESTAMP"
when
    has_field("message")
then
    let pattern = "%{WEBLOGIC_TIMESTAMP}";
    let matches = grok(pattern: pattern, value: to_string($message.message));
    set_fields(matches);
    
    let new_date = parse_date(  to_string($message.timestamp), 
	                            "MMM dd, yyyy hh:mm:ss a", "Europe/Brussels");
    let formatted_date = format_date(new_date,"yyyy-MM-dd HH:mm:ss.SSS");
    set_field("timestamp", formatted_date);
	remove_field("WEBLOGIC_TIMESTAMP");
end

Hope this helps you.

simulate.PNG1242×404 32.1 KB

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.