GROK-Date-Parser always parses to January

derPhlipsi · July 19, 2017, 9:02am

Hey,

I just wanted to ask if I’m alone with this issue:
My timestamp looks like this:

[...].de) on Wed Jul 19 09:38:02 2017.

My GROK looks like this:

[...] on %{GREEDYDATA:syncRuleTimestamp;date;EEE MMM dd HH:mm:ss YYYY}.

But the month is somehow not recognized and seems to be defaulted to January.

When I remove the ;date;EEE MMM dd HH:mm:ss YYYY-part from the GROK-Pattern, you can see that the extracted information would be correct, but the parser doesn’t want the month for some reason

According to this website, my format-string is correct:

My workaround will be to use the flexible date parser as a second extractor (if this works, can’t test it yet), but my aim is to use the least amount of extractors possible

So, is there anybody with the same issue? Or am I simply stupid or blind?

Greetings - Phil

jochen · July 28, 2017, 1:53pm

The Grok extractor is backed by Java’s SimpleDateFormat, correct.

But somehow the website you’re using doesn’t follow the same rules.

In your case, the date pattern is wrong. It should read EEE MMM dd HH:mm:ss yyyy.

Letter	Date or Time Component	Presentation	Examples
y	Year	Year	1996; 96
Y	Week year	Year	2009; 09

system · August 11, 2017, 1:53pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Parse_date() returns January Graylog Central (peer support)	3	1278	June 12, 2020
Handling comma when converting extracted data to date type Graylog Central (peer support)	5	2216	May 3, 2018
Extractors not working Graylog Central (peer support) timestamp	7	1167	May 18, 2022
Problem with date extractor converter Graylog Central (peer support)	5	2206	June 28, 2022
GROK Pattern Skipping Data Graylog Central (peer support)	4	2166	September 14, 2020

GROK-Date-Parser always parses to January

Related topics