there are multiple files parsed through logstash and those files are based on country and country has its specific timestamp ie.: 2016-02-24 14:13:04 [without timezone]
And it looks like logstash only shows file in present and if we consider Spain it would be 1 hour ahead of UTC hence those files seems to not get parsed until actual time has arrived, and in same condition but that would be not good for realtime monitoring.
and having countries with +10, -5 etc.. this is turning out to be bit of pain.
Any idea if something similar would work or what would be best way to deal with below conditions?
filter {
if [type] == "some-Error-Log" {
grok {
add_tag => [ "groked" ]
match => { "message" => "%{MYCUSTOMPATTERN}" }
add_tag => "some-Error-Log"
}
if [countryCode] in ["CH", "DE", "FR", "PL", "NL", "IT", "FR", "ES", "IE"] {
date {
match => [ "timestamp", "YY-MM-dd HH:mm:ss" ]
timezone => "Europe/Rome"
target => "@timestamp"
}
}
if [countryCode] in ["CA", "US"] {
date {
match => [ "timestamp", "YY-MM-dd HH:mm:ss" ]
timezone => "America/New_York"
target => "@timestamp"
}
}
}
}