Dateparsefailure for "yyyy-MM-dd-HH:mm:ss.SSSZZ" format

Hi,
My log file has the format of timestamp like '2018-08-20-14:10:16.496+8:00...something...'. It looks like ISO8601 but it uses '-' instead of 'space' between date and time. I can't use ISO8601 to match my logs in the grok code. Then I copy TIMESTAMP_ISO8601 to TIMESTAMP_MYFORMAT in the grok-patterns file and modify it as below:
TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
TIMESTAMP_MYFORMAT %{YEAR}-%{MONTHNUM}-%{MONTHDAY}-%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}?
In this way I can grok it as %{TIMESTAMP_MYFORMAT:logdate} and output to stdout as it is.
But it fails when I try to replace the timestamp with logdate. I get dateparsefailure. Below is my debug step:
my.conf:
input {
stdin{}
}
filter{
date{
match => ["message","yyyy-MM-dd-HH:mm:ss.SSSZZ"] # <- I tried Z and ZZ but all failed
}
}
output{
stdout{
codec=>rubydebug
}
}
result:

echo '2018-08-20-14:10:16.496+8:00' | ./bin/logstash -f config/my.conf
{
"host" => "myhost",
"tags"=>[
[0] "_dateparsefailure"
],
"@timestamp" =>2018-08-21T06:00:33.685Z,
"message"=>"2018-08-20-14:10:16.496+8:00"
}
Anyone can help? Thanks.

After some more test, the 'ZZ' doesn't work in my case. As the document says, ZZ should match +8:00 format( in document example is -7:00) .
Remove time zone from logdate will work but it's not a good way for me since my log files located in many countries.

Currently, I use the match code below and it works. But I think there is another good/better way.
match => ["logdate","yyyy-MM-dd-HH:mm:ss.SSS'+8:00'"]
And in other countries, I need to modify the +8:00 to the right timezone.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.