Hi,
I would like to parse this string with this timestamp for example:
Fri, 30 Oct 2015 15:12:17 CET
But in the pattern documentation I am not able to find any pattern that it could serve to me.
Thanks in advance
None of the stock patterns match your timestamp exactly, but DATESTAMP_RFC2822 is very close:
%{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE}
Just replace ISO8601_TIMEZONE with something that matches your timezone name. Or actually, since the date filter can't parse timezone names anyway you might as well use WORD to match it.
Ok, thanks for your help it´s so useful.
One more thing, what I like to do is to have all the different dateformats matched against a single field, for seperating out the correct timestamps. So first I put any time / date relevant data parsed out to the timestamp field, then I put all the different 'versions' of date formats together like this:
date {
match => [ "timestamp" , "EEE MMM dd HH:mm:ss y", "EEE MMM dd HH:mm:ss ZZZ yyyy", "EEE MMM d HH:mm:ss ZZZ yyyy", "dd/MMM/yyyy:HH:mm:ss Z", "YYYY-MM-dd HH:mm:ss", "YYYY-MM-dd HH:mm:ss Z", "YYYY-MMM-dd HH:mm:ss", "dd.MM.YY HH:mm:ss", "MMM dd, yyyy hh:mm:ss a", "dd.MM.YY-HH:mm:ss", "MMM dd HH:mm:ss" ]
}
And yes, difference in output of date-commands like 'Nov 2, 2015' and 'Nov 10, 2015' bug me, as I have to use two different patterns for single and double digit day value.
For your format, I think correct would be "EEE, dd MMM yyyy HH:mm:ss ZZZ"
If in need, consult the joda time page referenced in the date filter doc.
Hope to help,
Thorsten
1 Like