Logstash Date Has the Wrong Year?

Question

I'm parsing Nginx logs into logstash with the following config:

input { stdin { type => "nginx"}}

filter {
    grok {
        type => nginx
        pattern => "%{COMBINEDAPACHELOG}"
    }
    date {
        type => nginx
        match => [
            "timestamp",
            "dd/MMM/YYYY:HH:mm:ss Z"
        ]
    }
 }

 output { stdout { debug => true debug_format => "ruby"}}

Except here's the problem: when I pass in a log with a @timestamp of "04/Sep/2012:12:44:16 -0500" I get (as the result timestamp) "2013-09-04T17:44:16.000Z". Wrong year. Is this a bug?

I just tried your config with an old 2012 apache log and it worked. This was with the latest logstash-1.2.1. — Dan Garthwaite, Oct 23 '13 at 16:16
I'll add an answer as soon as/if I find one. For now, I just grabbed a different archive log file to sample from. — Brian Hicks, Oct 23 '13 at 19:38
Possibly. It's a log file from 2013 so the problem would be masked. — Brian Hicks, Oct 24 '13 at 03:41

score 1 · Answer 1 · answered Apr 29 '15 at 15:47

1

From the documentation as linked to from logstash documentation you've picked the wrong syntax in your date filter. Try using yyyy (year) instead of YYYY (year of era), I believe that should correct the issue you are reporting.

I hope that helps!

answered Apr 29 '15 at 15:47

Rumbles

994
1
12
28

Logstash Date Has the Wrong Year?

1 Answers1