diff --git a/patterns/grok-patterns b/patterns/grok-patterns index 4850b44ebd0..726f97a5192 100755 --- a/patterns/grok-patterns +++ b/patterns/grok-patterns @@ -68,7 +68,7 @@ ISO8601_SECOND (?:%{SECOND}|60) TIMESTAMP_ISO8601 %{YEAR}-%{MONTHNUM}-%{MONTHDAY}[T ]%{HOUR}:?%{MINUTE}(?::?%{SECOND})?%{ISO8601_TIMEZONE}? DATE %{DATE_US}|%{DATE_EU} DATESTAMP %{DATE}[- ]%{TIME} -TZ (?:[PMCE][SD]T|UTC) +TZ (?:[PMCE][SD]T|UTC|CEST|CET) DATESTAMP_RFC822 %{DAY} %{MONTH} %{MONTHDAY} %{YEAR} %{TIME} %{TZ} DATESTAMP_RFC2822 %{DAY}, %{MONTHDAY} %{MONTH} %{YEAR} %{TIME} %{ISO8601_TIMEZONE} DATESTAMP_OTHER %{DAY} %{MONTH} %{MONTHDAY} %{TIME} %{TZ} %{YEAR} diff --git a/spec/filters/grok.rb b/spec/filters/grok.rb index 94dbbfaac9b..cdfff4ac7f3 100644 --- a/spec/filters/grok.rb +++ b/spec/filters/grok.rb @@ -500,4 +500,28 @@ insist { subject["foo"] }.is_a?(String) end end + + + describe "Dates with time zone are correctly interpreted" do + config <<-CONFIG + filter { + grok { + match => [ "message", "%{DATESTAMP_RFC822:stimestamp}" ] + singles => true + } + } + CONFIG + sample "Tue Jan 01 2013 04:51:39 CEST" do + insist { subject["stimestamp"] }== "Tue Jan 01 2013 04:51:39 CEST" + end + sample "Tue Jan 01 2013 04:51:39 CET" do + insist { subject["stimestamp"] }== "Tue Jan 01 2013 04:51:39 CET" + end + sample "Tue Jan 01 2013 04:51:39 UTC" do + insist { subject["stimestamp"] }== "Tue Jan 01 2013 04:51:39 UTC" + end + end + + + end