Hi,
I would like to match the date [Mon Apr 4 12:23:30 CDT 2016] in my log file. I tried:
filter {
grok {
match => [
"message",
"(?%{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{YEAR})"
]
}
date {
match => [ "mytimestamp", "EEE MMM dd HH:mm:ss YYYY","YYYY-MM-dd HH:mm:ss,SSS"]
#target=> "@timestamp"
timezone => "America/Los_Angeles"
locale => "en"
add_tag => [ "tsmatch" ]
}
}
All works fine, except timezone.
I have also tried it with "EEE MMM dd HH:mm:ss ZZZ YYYY", but no luck. Any suggestions would be helpful.
As documented, timezone names can't be parsed (because they are ambiguous).
Magnus, thank for your response. How can i assign the date [Mon Apr 4 12:23:30 CDT 2016] to @timestamp filed, by default logstash will assign the time when it started to parse the file but i need to replace the @tampstamp value with the date inside my file.
For example:
Mon Apr 4 12:23:30 CDT 2016
@timestap:"2016-04-04TT20:23:30.548Z"
If all timestamps have the same timezone you can ignore the timezone when parsing and just set the date filter's timezone option. If they do differ you can use the translate filter to translate the timezone string to the actual offset (since you probably have enough knowledge to make that translation unambiguously, i.e. you know that CDT in your case always means UTC-5 but a generic library can't be sure if it's UTC-5 or UTC-4). Once you have an offset the date filter will be happy to parse it.
If i understand it correctly, i can see two options:
-
We can ignore/remove the timezone from the input date [ Mon Apr 4 12:23:30 CDT 2016 => "Mon Apr 4 12:23:30 2016"]
-
The offset of my time zone CDT : "UTC Offset: UTC -5", if it is CST then offset is "UTC Offset: UTC -6".
I don't see how your second bullet constitutes an "option" to the first one, but yes, if your timezone is always America/Chicago (or whatever's appropriate) you can drop the timezone id string from your timestamp string and configure it statically in your date filter.
Ok, i would like to drop the timezone from the date field.
Mon Apr 4 12:23:30 CDT 2016 => "2016-04-04 12:23:30"
Can you help me how to drop the timezone from the date filed.
You can e.g. use the mutate filter's gsub option.