[rsyslog] ES index: $month, $day and time zone

Thu, 17 Jul 2014 12:25:29 -0700 

Hello Rainer, 

during implementing of the flexible ES templates we are stopped by time zone 
problem, let's me describe:

1) We have a message template like: 
  
##CEE TEMPLATE
template(name="cee" type="list") {
...
constant(value="@cee: {")
...
        property(name="timegenerated" dateFormat="rfc3339" format="jsonf" 
outname="@timestamp") constant(value=", ")     
...


2) Sending this message using RELP:

ruleset(name="relp_cee") {
     action(type="omrelp" Template="cee" Target="core" Port="20514")  
} 


3) Log server is receiving this message:

input(type="imrelp" Port="20514")
action(type="mmjsonparse")

if $parsesuccess == "OK" then {

        action(type="omelasticsearch" server="localhost" template="ES-All" 
searchIndex="es_index-default" searchType="events" dynSearchIndex="on" 
bulkmode="on" queue.dequeuebatchsize="5000" queue.size="100000" 
queue.workerthreads="5" );
}       


and puts to ES using index

## ES Index template
template(name="es_index-default" type="list") {
        property(name="$!msg_class" ) constant(value="-")       
        property(name="$!msg_view" ) constant(value="-") 
        property(name="@timestamp" dateFormat="rfc3339" position.from="1" 
position.to="4") constant(value=".")
        property(name="@timestamp" dateFormat="rfc3339" position.from="6" 
position.to="7") constant(value=".")
        property(name="@timestamp" dateFormat="rfc3339" position.from="9" 
position.to="10")
}


Let's date will be 2014-07-01T01:30:00.000000+03:00

if we extract template index using "es_index-default"  - we'll get 
"X-Y-2014-07-01". 
But in fact, the correct date relatively to ES timestamp needs to be 
"X-Y-2014-06-30". 
Properties "$month" and "$date" gets the same numbers.

Can you add a property option that helps getting $month/$date/ (may be rfc3339) 
as absolute (UTC) value?
Thanks!

---
Best regards,
Eugene Istomin
_______________________________________________
rsyslog mailing list
http://lists.adiscon.net/mailman/listinfo/rsyslog
http://www.rsyslog.com/professional-services/
What's up with rsyslog? Follow https://twitter.com/rgerhards
NOTE WELL: This is a PUBLIC mailing list, posts are ARCHIVED by a myriad of 
sites beyond our control. PLEASE UNSUBSCRIBE and DO NOT POST if you DON'T LIKE 
THAT.

Reply via email to