I thought we already had an issue for this, but I'm not able to find one.
timestamps and other date information shows up in logs in all sorts of odd formats. Currently liblognorm handles several specific formats, but there is no way to customize it.
There should be a way to define (either as a custom type, or in a rule inside the %%) a custom date field. This is different from just defining a custom type that matches the different parts of a date in that this combines the different parts into a time value.
I would suggest using the same % fields that are used by date, as they seem to be common across many different tools.
so if you have a log message that says 20160128 you should be able to do something like
datetime=mydate:%Y%m%d
or
%foo:datetime:%Y%m%d
(skipping the escaping of the % in this for clarity, this is an annoying conflict)
or if someone did 2016/01/27 you would have %Y/%m/%d
I thought we already had an issue for this, but I'm not able to find one.
timestamps and other date information shows up in logs in all sorts of odd formats. Currently liblognorm handles several specific formats, but there is no way to customize it.
There should be a way to define (either as a custom type, or in a rule inside the %%) a custom date field. This is different from just defining a custom type that matches the different parts of a date in that this combines the different parts into a time value.
I would suggest using the same % fields that are used by date, as they seem to be common across many different tools.
so if you have a log message that says 20160128 you should be able to do something like datetime=mydate:%Y%m%d or %foo:datetime:%Y%m%d (skipping the escaping of the % in this for clarity, this is an annoying conflict)
or if someone did 2016/01/27 you would have %Y/%m/%d