Hi,
In our logs, we have our date time as below and trying to set the same to timestamp field in logstash. But it's giving dateparsefailure.
Any help in this is useful.
Logs : the below data is mapped as DateTime using grok filter.
//
MonJune10201909:36:58EDT
FriJune03201902:08:31BST
//
Our logstash config has :
//
mutate { add_field => [ "ts" , "%{DateTime}" ] }
date {
match => [ "ts", "EMMMMddyyyyHH:mm:ssz" ]
target => "@timestamp"
}
//
Hi,
Can someone please provide input / fix for this?
In your date filter, shouldn't your match pattern be as follows?
match => [ "ts", "EEEMMMMddyyyyHH:mm:ssz" ]
That should match the three-letter date abbreviation, rather than the one-character abbreviation your original pattern would match.
The first one parses just fine. This one gets a _dateparsefailure because BST could be one of several different timezones. Use mutate+gsub to replace it with something unambiguous.
The logstash documentation implies, and experimentation confirms, that E, EE, and EEE all match three character abbreviations. I cannot find it in the Joda documentation.
I misread then. Thanks.
Thank you Badger for your input. Let me try replacing timezones using mutate+gsub.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.