I’m trying to extract timestamp from Tomcat access log.
Example:[25/Oct/2020:15:03:11.386 +0000]
I use the following pattern to match it: \[%{DATA:timestamp;date;dd/MMM/yyyy:HH:mm:ss.S Z}\]
(also I tried to escape \.S)
When I verify matching in Extractor configuration I see the following:
timestamp_grokfailure
java.time.format.DateTimeParseException: Text ‘25/Oct/2020:15:03:11.386 +0000’ could not be parsed at index 22
timestamp
25/Oct/2020:15:03:11.386 +0000
What does it mean? It’s parsed but not parsed?
How I can fix it?
I’ve tried and got Attention We were not able to run the grok extraction. Please check your parameters.
From GROK definition I see another separator is used and there is no milliseconds field
I think I found the reason: S doesn’t mean ''whole miliiseconds part", but just one digit.
So I should use %{DATA:timestamp;date;dd/MMM/yyyy:HH:mm:ss.SSS Z} if milliseconds are represented as 3 digits.
But I believe they can be represented as 1 or 2 digits also, so need to cover such cases also
