"date" filter combined with "mutate" issues
Description
Gliffy Diagrams
Activity
Philippe Weber April 26, 2013 at 4:39 AM
Best answer given considering current timezone handling in the date filter.
y January 30, 2013 at 12:31 PM
Using your mutate trick, things started to magically work! Thanks The log message is no longer dropped without any explanation. Guess some parsing error occurred somewhere without throwing exception
Philippe Weber January 30, 2013 at 12:18 PM
small z is not supported as is and there is no solution inside the date filter to specify timezone.
But what you could do is
y January 30, 2013 at 12:01 PM
This line is dropped (both with and without the locale => UTC)
439053: ciscodevice123.com: Jan 25 2013 14:31:58.235 UTC : Message text
Btw. What would be the correct way of setting UTC time? I attempted to use "ss.SSS zzz" filter, but got exception saying that UTC could not be parsed.
Philippe Weber January 30, 2013 at 11:18 AMEdited
Could you give me a failing example line that is dropped
The only strange stuff by see, is that you set locale => UTC where you should use a language locale like en or en_US
This config works as expected (replaces @message with "Message text", and populate hostname + timestamp fields) - but if I uncomment the date filter:
When timestamp should be a match (non-empty), the log event is dropped (never sent to ElasticSearch output)
When field.timestamp is empty, @message is written to ElasticSearch as "%{message_remainder}" (unresolved variable)