#logstash

Paul Wellner Bou, we salute you.. https://joda-time-parse-debugger.herokuapp.com/

been using that for a while - joda parsing does my head in

it's handy

got some guys trying to parse some oracle db logs

which has month in letters all caps

which non of the default logstash patterns detect

They do leading capital three letter months

turns out joda parses it fine

so just needed to get the string into a @metadata field

we have a cool case here. Hour=[1,24]

because the dev thought having 0 for an hour would be confusing

and it's in prod, and customers are using the API

so it can never be changed

I know you can use k for that, but it's still annoying

that's rediculous

who thinks of these things

hmm.. i guess in the right context

1st hour, 2nd hour

if you're treating them as buckets

well the numbers for 1-23 are fine. But midnight is never 24 anywhere else - that's the stupid part

but not the stupidest part, unfortunately

short version - the filter to parse these logs is 300 lines long

can't you just gsub ^24: for 00: ?

eitherway, sounds like a pain

berglh: I used so much gsub in these filters even thinking about using it makes me feel dirty now

but no, joda "k" does the trick anyway

it's just super-annoying finding all the uses of it in the logs - you gotta look for the midnight entries

also: whyyyyyyy

it would be nice if I could say: this log file uses joda k

but it's a mish-mash of stuff and there's no consistency

I need to parse half the entry out before I can even decide how to parse the date

things like KV lines with json in the middle

but the KV part doesn't have consistent separators

some are commas, some are spaces - on the same line

it's the second-worst lot of logs that I've ever dealt with

..the worst being one that had miltiline ascii-decorated tables in it

*multiline

yeah..

i feel your pain

the kv filed split string should not be a char class, but a regex