Problem with TIMESTAMP_ISO8601 grok pattern

pwnell · December 8, 2018, 6:07pm

Here is my input data:

{"timestamp":"2018-12-08T09:42:02.610645-0800","flow_id":539201256297189}

Here is my grok pattern:

%{TIMESTAMP_ISO8601}

Here is the output:

HOUR
08
ISO8601_TIMEZONE
-0800
MINUTE
00
MONTHDAY
08
MONTHNUM
12
SECOND
02.610645
YEAR
2018

Why does it get the HOUR and MINUTE wrong? I tried the following grok pattern:

%{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{NUMBER:hour}:?%{NUMBER:minute}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?

And that gives:

42
HOUR
08
ISO8601_TIMEZONE
-0800
MINUTE
00
MONTHDAY
08
MONTHNUM
12
SECOND
02.610645
YEAR
2018
hour
09
minute
42

HOUR is defined as (?:2[0123]|[01]?[0-9]) in my Graylog.

What gives?

pwnell · December 8, 2018, 6:19pm

Figured it out. ISO8601_TIMEZONE is defined as (?:Z|[+-]%{HOUR}(?::?%{MINUTE})), which appends the TimeZone hour 08 and minute 00 to the HOUR and MINUTE unnamed captures. I cloned the ISO8601_TIMEZONE to be like: (?:Z|[+-]%{HOUR:TZHOUR}(?::?%{MINUTE:TZMINUTE})) and now it no longer creates an array for HOUR and MINUTE.

Looks like a bug to me.

system · December 22, 2018, 6:19pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GROK Pattern for timestamp Graylog Central (peer support)	3	831	March 12, 2021
Handling comma when converting extracted data to date type Graylog Central (peer support)	5	2216	May 3, 2018
Getting correct timezone for timestamp Graylog Central (peer support) pipeline-rules , debuggingpl	3	4130	June 2, 2020
GROK Pattern Skipping Data Graylog Central (peer support)	4	2166	September 14, 2020
Apply Correct timezone and convert date Graylog Central (peer support) pipeline-rules	3	4090	April 14, 2020

Problem with TIMESTAMP_ISO8601 grok pattern

Related topics