Hi all !
I am trying to use Logstash to parse apache2 error logs.
These logs contain a dattime in a format e.g. Fri Oct 03 09:07:41.570 2023. I have already successfully transfered this string into a field "eventfire" using grok pattern %{HTTPDERROR_DATE:eventfire}
Now, I want to set @timestamp field to this date using date plugin for logstash.
I have set it up like this
filter {
date {
match => [ "eventfire", "EEE MMM dd HH:mm:ss.SSS yyyy" ]
}
}
the format of the date EEE MMM dd HH:mm:ss.SSS yyyy should be correct, because when I fire up simple Java application with org.joda.time and use this format, it returned the same datetime as the eventfire field above.
However, the @timestamp field didn't change to this date.
So, I tried to used ruby plugin. I ended up with following code:
date_str = event.get("eventfire")
begin
require "date"
date = DateTime.parse(date_str)
event.set("@timestamp", LogStash::Timestamp.at(date.to_time.to_i))
rescue Exception => e
event.tag("date_parse_failure")
end
which works and correctly set up @timestamp field even if I don't set up a format for the date, the DateTime.parse() function correctly parse Fri Oct 03 09:07:41.570 2023
My question is: Why the date plugin didn't work ? What did I do wrong ?