I have one field named event-reporting-time which has a string like this: "Mar 27 2018 02:32:10 AM -07:00", I have used the following filter :
date {
match => [ "event-reporting-time", "MMM dd yyyy KK:mm:ss aa ZZ", "MMM dd yyyy K:mm:ss aa ZZ"]
}
It doesn't work and doesn't even output with _dateparsefailure tag.
i further tested removing the trailing ZZ from the match, and it indexes data with _dateparsefailure tag.
Then I deleted -07:00 from the date and with the ZZ already removed, again no indexing happens. Any clue whats going on?
How do you know it is not indexed? In Kibana, does the time range you are viewing include the morning of March 27th? When I pass that string to that date filter it successfully sets @timestamp to 2018-03-27T09:32:10.000Z
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.