The date in my logs looks like that:
Nov 5, 2017 11:06:30 PM CST
I tried to parse it like that:
date {
match => [ "timestamp" , "MMM dd, yyyy KK:mm:ss aa Z" ]
}
or like that:
date {
match => [ "timestamp" , "MMM dd, yyyy HH:mm:ss aa Z" ]
}
But still getting the error:
[1] "_dateparsefailure"
What is the right way to parse this date format?
Thanks
Sharon.
According to the docs, valid timezones are listed on this page, and CST is not one of them. Is that the same as CST6CDT?
mutate { gsub => [ "message", "CST", "CST6CDT" ] }
date { match => [ "message", "MMM d, yyyy HH:mm:ss a ZZZ" ] }
Yes, it is the same , but still : "_dateparsefailure"
I tried few ways including yours.
mutate {
gsub => [ "timestamp", "CST", "CST6CDT" ]
}
date {
match => [ "timestamp", "MMM dd, yyyy hh:mm:ss aa Z" ]
}
Thanks
Sharon.
I think I found the issue. Will let you know.
Looks your answer was good.
Your answer was actually perfect.
(I had two different timestamp fields in same events with same name)
Thanks a lot
Sharon.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.