Hi,
I am having syslogs both in PST and CET timezones. One such example is below. I reads the log using file plugin and add the timestamp to a field named logtimestamp. Everything works fine except when I do date parse. I am not sure how should I write my matcher here so that timestamp will be updated accordingly. I tried following
"yyyy/mm/dd@HH:mm:ss-Z", "yyyy/mm/dd@HH:mm:ss-z", "yyyy/mm/dd@HH:mm:ss-TZ" but nothing seem to working
Following is log snippet with both PST and CET and I splits DETAIL, TIME, THREAD and Message from below and time-stamp is written to field "logtimestamp"
PST
[level=DETAIL, time=2016/01/30@13:19:10-PST, thread=ClientClean, msg=<<<EC: eval results: rv=0,stdout="",stderr="">>>]
CET
[level=DETAIL, time=2016/02/15@14:59:53-CET, thread=ClientClean, msg=<<<EC: eval results: rv=0,stdout="",stderr="">>>]
I get following error .
←[33mFailed parsing date from field {:field=>"logtimestamp", :value=>"2016/01/26@00:52:47-PST", :exception=>"Invalid format: \"2016/01/26@00:52:47-PST\" is malformed at \"-PST\"", :config_parsers=>"yyyy/mm/dd@HH:mm:ss-Z",
Following is my date parser
date{
match => ["logtimestamp" , "yyyy/mm/dd@HH:mm:ss-Z"]
target => "@timestamp"
add_field => { "debug" => "timestampMatched"}
}