Can't find correct Joda Time Documentation

dolanmk · October 6, 2017, 7:02pm

Hi,

I am using Logstash to parse some install logs. I have a field named LOG_DATE and the grok pattern is correct but I need to change the field from a string to a date. I am using the date filter plugin to do this. I have used this correctly before but I cannot seem to get the Joda abbreviations correct.

Here is what the LOG_DATE field looks like:

Mon Sep 11 13:49:24 EDT 2017

Here is what I am currently trying in the date filter:

    date {
      match => [ "log_date", "EEE MMM dd HH:mm:ss ZZZ YYYY" ]
      target => "logdate"
      locale => "en"
      remove_field => [ "log_date" ]
    }

I am still getting a date parse error and the field LOGDATE (no underscore) is not being created.

Thank you for your help!

Miranda

dolanmk · October 9, 2017, 3:21pm

I have found my own solution. The time zone that is being added to my target log files is not on the list of known abbreviations for Joda-time.

For anyone else who may have a similar issue, the list of known time zones for Joda-time can be found here:
http://joda-time.sourceforge.net/timezones.html

To be able to use this special time zone I have added a date pattern that has the abbreviation statically defined if Joda does not detect the given time zone.

   date {
      match => [ "log_date", "EEE MMM dd HH:mm:ss ZZZ YYYY", "EEE MMM dd HH:mm:ss 'EDT' YYYY" ]
      target => "logdate"
      locale => "en"
      remove_field => [ "log_date" ]
   }

system · November 6, 2017, 3:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.