The problem I'm running into is that I don't know how to parse the very verbose "Pacific Daylight Time" (and presumably all the other possible timezone descriptions) and ensure that they are correctly stored by grok when doing a date-match such as this:
date {
match => ["eventTimeStr", "YYYY-MM-dd HH:mm:ss.SSS Z"]
}
At this point I don't know if changing the log format to use a numeric timezone is an option. But that might be outside of my control, so I'd prefer to come up with a solution that does not require changing the logs.
Apart from changing the log format (which I think you should pursue on general principle since it's completely idiotic and not even convenient for humans) you can use a translate filter to transform the verbose timezone string names into UTC offsets. I'm guessing you have a finite set of timezone names appearing in your logs.
Thanks for the suggestion, Magnus. I'll definitely look into the translate filter. (And, yes, I share your thoughts about the 'idiotic' logging choice.)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.