On Fri, Nov 18, 2016 at 03:45:34PM +0000, Mike Brudenell wrote:
> Are you sure it's not just a case of configuring Elasticsearch so that it
> parses the incoming date field? I'd expect it to be flexible in what it can
> take in, and this documentation page (found by using Google to search for
> "elasticsearch change date format") suggest it's possible:
Exactly that. Using logstash here, pull the date off the start
with a pattern in grok like
%{YEAR}-%{MONTHNUM}-%{MONTHDAY} %{TIME}(?: %{ISO8601_TIMEZONE})?
which goes into the "exim_date" field, and then use date to parse
it, e.g.
date {
match => [ "exim_date", "yyyy-MM-dd HH:mm:ss Z",
"yyyy-MM-dd HH:mm:ss" ]
}
Exim is one of the better applications out there - it actually
includes a timezone in its logs :)
Matthew
--
Matthew Newton, Ph.D. <mcn4@???>
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <ithelp@???>
