When using the date-parser() and logs containing the timezone (i.e. PST) the %Z needs to be %z (lower-case z).
The documentation is incorrect, using %z for the timezone will allow the parser to work correctly.
Below is an example config, followed by an example log, and the resulting parsed log:
source s_dptest {
file(
"/var/log/dptest.log"
flags(no-parse)
);
};
parser p_dptest {
date-parser(
format("%Y-%m-%d %H:%M:%S:%f %z")
template("$(substr ${MSG} 0 27)")
);
};
destination d_dptest {
file(
"/var/log/dptest_parsed.log"
template("${S_ISODATE} ${MESSAGE} S_MSEC=${S_MSEC}\n")
);
};
log {
source(s_dptest);
parser(p_dptest);
destination(d_dptest);
};
Example Log:
2020-10-11 14:32:41:550 PST This is a test of the date-parser()
Resulting Parsed Log:
2020-10-11T14:32:41-08:00 2020-10-11 14:32:41:550 PST This is a test of the date-parser() S_MSEC=550
© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center