Hi everyone,
I have logs in a dd/MM/YYYY HH:mm:ss format using the CET timezone, and I am trying to extract the Day of the week for CET and not UTC.
We used this at first
date {
match => [ "date", "dd/MM/YYYY HH:mm:ss" ]
timezone => "Europe/Paris"
}
mutate {
add_field => {"dow" => "%{+EEEE}"}
}
But realized that any logs that happened between 00:00AM and 00:59 AM would get the "dow" field set to the previous day (which is logical since it's still the same day in UTC time). For some reason I don't understand, Logstash corrects the time and sends it in UTC when it could be sending it with the timezone delta (Z+0100).
We found an ugly way to trick logstash by making it believe all logs were in UTC before injecting "dow" and then correcting the timestamps.
date {
match => [ "date", "dd/MM/YYYY HH:mm:ss" ]
timezone => "UTC"
add_field => {"dow" => "%{+EEEE}"}
}
date {
match => [ "date", "dd/MM/YYYY HH:mm:ss" ]
target => "@timestamp"
timezone => "Europe/Paris"
}
This is certainly not the best way to do this and I was wondering if the community could help me figure out a cleaner way?
Bonus points if there's a way to change the day of week from english to any other language without having to resort to a translate filter 
. The locale option seems to be usable only for parsing, and not for outputting %{+EEEE}
Any help is much appreciated.