[Citrix_adc] Add headerless log patterns#17094
Conversation
|
Pinging @elastic/integration-experience (Team:Integration-Experience) |
| - MM/dd/yyyy:HH:mm:ss | ||
| - MM/dd/yyyy:HH:mm:ss z | ||
| - dd/MM/yyyy:HH:mm:ss | ||
| - dd/MM/yyyy:HH:mm:ss z |
There was a problem hiding this comment.
This isn't going to work as expected, you can't have both MM/dd and dd/MM in the same format list as it is ambiguous.
For instance, what is 04/10/2025?
If they are expecting dd/MM, it's going to select MM/dd since it is first in the list. So basically, it only works as expected when the date is > 12.
We had this come up in a previous PR for a different integration... Let me see if I can find it. If I recall, we had to have a configurable for the date format.
There was a problem hiding this comment.
@jrmolin, was this something you added at one point to an integration? A configurable date format?
There was a problem hiding this comment.
The customer might have to set this as a config since we can't do this reliably:
fields: _conf: tz_offset: UTC # custom_date_format: <CUSTOM_DATE_FORMAT> # # Custom Date Format: Format to use to parse the date/time fields in the data. # #This is used to build a Java DateTimeFormatter in [Painless](https://www.elastic.co/guide/en/elasticsearch/painless/current/painless-datetime.html) to parse the incoming date. For Day/Month/Year... parsing, this could be "dd/MM/yyyy:HH:mm:ss". # #If not populated, this matches any of "yyyy/MM/dd:HH:mm:ss", "MM/dd/yyyy:HH:mm:ss", or the ISO8601 standard.
There was a problem hiding this comment.
yeah, we added something this custom date formatter, but i don't know if any customer is going to use it. the citrix devices send back local time, which can either be MM/dd or dd/MM, depending on the locale. so they'd have to be really sure their devices are all one locale or another
There was a problem hiding this comment.
the custom date parsing happens immediately above this
There was a problem hiding this comment.
alright I am going to revert the date changes and notify support
c70d5cf to
d92ac3b
Compare
| <134> 02/06/2025:17:50:13 GMT PRODSYVPX01 0-PPE-1 : default AAATM LOGOUT 12956311 0 : User username.example.com.au - Client_ip - Nat_ip "Mapped Ip" - Vserver 0.0.0.0:0 - Start_time "02/06/2025:17:50:13 GMT" - End_time "02/06/2025:17:50:13 GMT" - Duration 00:00:00 - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 0 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "TimedOut" - Group(s) "N/A" | ||
| <134> 07/09/2025:19:04:20 GMT test-ns-internal-b 0-PPE-0 : default AAATM LOGOUT 316696334 0 : Context flsmsp0154@hs.mydomain.com@175.16.199.1 - SessionId: 40982902 - User flsmsp0154@hs.mydomain.com - Client_ip 175.16.199.1 - Nat_ip \"Mapped Ip\" - Vserver 0.0.0.0:0 - Start_time \"07/09/2025:18:28:20 GMT\" - End_time \"07/09/2025:19:04:20 GMT\" - Duration 00:36:00 - Http_resources_accessed 0 - Total_TCP_connections 0 - Total_policies_allowed 2 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 0 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod \"TimedOut\" - Group(s) \"N/A\" | ||
| <135> 07/09/2025:19:48:23 GMT test-ns-internal-b 0-PPE-0 : default AAATM HTTPREQUEST 318039900 0 : Context 48x0529@hs.mydomain.com@175.16.199.1 - SessionId: 39526570 - test.customdomain.com User 48x0529@hs.mydomain.com : Group(s) N/A : Vserver 67.43.156.1:8085 - 07/09/2025:19:48:23 GMT : SSO is OFF : CONNECT test.customdomain.com:443 - - | ||
| <135> 07/09/2025:19:04:21 GMT test-ns-internal-b 0-PPE-0 : default AAATM HTTPREQUEST 318039900 0 : Context 48x0529@hs.mydomain.com@175.16.199.1 - SessionId: 39526570 - test.customdomain.com User 48x0529@hs.mydomain.com : Group(s) N/A : Vserver 67.43.156.1:8085 - 07/09/2025:19:48:23 GMT : SSO is OFF : CONNECT test.customdomain.com:443 - - |
There was a problem hiding this comment.
Was the first timestamp changed to make sure that we aren't grabbing the second timestamp by accident?
There was a problem hiding this comment.
Yes the first change was to test the timestamp that the customer had issue with, but I reverted back to one that is similar to the original since we are solving it now through the config.
💚 Build Succeeded
History
|
|
Package citrix_adc - 1.18.1 containing this change is available at https://epr.elastic.co/package/citrix_adc/1.18.1/ |
Added grok processing for headerless logs
Proposed commit message
Added grok processing for headerless logs