"Verbose" timezone

Hi all,

I'm trying to create a grok statement for an httpd "access" log with entries like the following:

127.0.0.1 - - 2017-04-20 02:15:42.369 Pacific Daylight Time 80 "HEAD /favicon.ico HTTP/1.1" "-" 200 - "-" 1004 WPh8Pgrmjx8AACx4h8oAAABl

The problem I'm running into is that I don't know how to parse the very verbose "Pacific Daylight Time" (and presumably all the other possible timezone descriptions) and ensure that they are correctly stored by grok when doing a date-match such as this:

date {
  match => ["eventTimeStr", "YYYY-MM-dd HH:mm:ss.SSS Z"]
}

At this point I don't know if changing the log format to use a numeric timezone is an option. But that might be outside of my control, so I'd prefer to come up with a solution that does not require changing the logs.

Thoughts?

Thanks much,
Greg

So it appears what I want to do is not possible...

https://www.elastic.co/guide/en/logstash/current/plugins-filters-date.html

z time zone names. Time zone names (z) cannot be parsed.

If I'm misunderstanding, please let me know. (Seems changing the logs may be the only option.)

Thanks,
Greg

Apart from changing the log format (which I think you should pursue on general principle since it's completely idiotic and not even convenient for humans) you can use a translate filter to transform the verbose timezone string names into UTC offsets. I'm guessing you have a finite set of timezone names appearing in your logs.

Thanks for the suggestion, Magnus. I'll definitely look into the translate filter. (And, yes, I share your thoughts about the 'idiotic' logging choice.)