Version 6.1.2
I'm attempting to parse timestamps from various logsources using the date filter.
Due to it being multiple logsources with very similar timestamp formats(think 2018/03/14 vs 2018/14/03)
I wanted to define a field for specific logsources that included the expected timestamp format.
excerpt from the filters where the field is set, here for Cisco asa timestamp format
mutate {
add_field => {"[@metadata][timeFormat]" => "MMM dd HH:mm:ss"}
replace => {"[@metadata][timeZone]" => "America/Chicago"}
}
and later on, the date filter where i thought i could use the field [@metadata][timeFormat] set earlier.
date {
locale => "en"
timezone => "%{[@metadata][timeZone]}"
match => [ "timestamp", "%{[@metadata][timeFormat]}" ]
target => "timestamp"
}
this fails with
:exception=>"Java::JavaLang::IllegalArgumentException
:message=>"Illegal pattern component: t"
after searching around for it i guess this means that it attempted to use the string "%{[@metadata][timeFormat]}" as the format and at the first t in metadata it failed.
If i use
match => [ "timestamp", "MMM dd HH:mm:ss" ]
It works fine and logstash does not complain.