logstash-filter-date 0.1.0

checksums.yaml

@@ -0,0 +1,15 @@
+---
+!binary "U0hBMQ==":
+  metadata.gz: !binary |-
+    NGIzYmRiMTk0MzRkMDVjZWQxODE1NDBjNmYyNTQ3YzlkNTUzNGMwYg==
+  data.tar.gz: !binary |-
+    ZTkyNDQxOTk3OWExNmU0ZGIxZDRlMjVjODgxODNhYzgzOTAwNGMzOQ==
+SHA512:
+  metadata.gz: !binary |-
+    NTI0YTRiODQ4ZjAxMDUwZDY4YjI2MDE5NDA3YmQ2ZDVmMDY3NDFiZDZlMmVh
+    NTVhNTg3MjY2YjdlNDI4YjY1YWI5Y2Y1OGUwYTY0NzU5OWMwZmFiMjNjMDEy
+    YzI4MzEwZWNhYTEyYTFmOTllMThiZmRhYjU3MTg2MjYzMDY3MWU=
+  data.tar.gz: !binary |-
+    N2MwNGI4Zjk0ZjFjOGNkZWZkZDhhOGNjMDdhZTE4OTcwM2ZiY2I5Nzk2ZDky
+    OGRkMTgwNDQ4ZTQ2MjQ3ZWZhYWE5Mjg1NTVmZjVhNWZlMGMxNTVlMmM5MzFk
+    ZTFmZGQ5NGE4ZTI2NmRkMDAwYmY4ZDExMmUwYTk1ZWFiMzZiYTc=

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+Gemfile.lock
+.bundle
+vendor

data/Gemfile

@@ -0,0 +1,3 @@
+source 'http://rubygems.org'
+gem 'rake'
+gem 'gem_publisher'

data/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 2012-2014 Elasticsearch <http://www.elasticsearch.org>
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

data/Rakefile

@@ -0,0 +1,6 @@
+@files=[]
+
+task :default do
+  system("rake -T")
+end
+

data/lib/logstash/filters/date.rb

@@ -0,0 +1,236 @@
+# encoding: utf-8
+require "logstash/filters/base"
+require "logstash/namespace"
+require "logstash/timestamp"
+
+# The date filter is used for parsing dates from fields, and then using that
+# date or timestamp as the logstash timestamp for the event.
+#
+# For example, syslog events usually have timestamps like this:
+#
+#     "Apr 17 09:32:01"
+#
+# You would use the date format "MMM dd HH:mm:ss" to parse this.
+#
+# The date filter is especially important for sorting events and for
+# backfilling old data. If you don't get the date correct in your
+# event, then searching for them later will likely sort out of order.
+#
+# In the absence of this filter, logstash will choose a timestamp based on the
+# first time it sees the event (at input time), if the timestamp is not already
+# set in the event. For example, with file input, the timestamp is set to the
+# time of each read.
+class LogStash::Filters::Date < LogStash::Filters::Base
+  if RUBY_ENGINE == "jruby"
+    JavaException = java.lang.Exception
+    UTC = org.joda.time.DateTimeZone.forID("UTC")
+  end
+
+  config_name "date"
+  milestone 3
+
+  # Specify a time zone canonical ID to be used for date parsing.
+  # The valid IDs are listed on the [Joda.org available time zones page](http://joda-time.sourceforge.net/timezones.html).
+  # This is useful in case the time zone cannot be extracted from the value,
+  # and is not the platform default.
+  # If this is not specified the platform default will be used.
+  # Canonical ID is good as it takes care of daylight saving time for you
+  # For example, `America/Los_Angeles` or `Europe/France` are valid IDs.
+  config :timezone, :validate => :string
+
+  # Specify a locale to be used for date parsing using either IETF-BCP47 or POSIX language tag.
+  # Simple examples are `en`,`en-US` for BCP47 or `en_US` for POSIX.
+  # If not specified, the platform default will be used.
+  #
+  # The locale is mostly necessary to be set for parsing month names (pattern with MMM) and
+  # weekday names (pattern with EEE).
+  #
+  config :locale, :validate => :string
+
+  # The date formats allowed are anything allowed by Joda-Time (java time
+  # library). You can see the docs for this format here:
+  #
+  # [joda.time.format.DateTimeFormat](http://joda-time.sourceforge.net/apidocs/org/joda/time/format/DateTimeFormat.html)
+  #
+  # An array with field name first, and format patterns following, `[ field,
+  # formats... ]`
+  #
+  # If your time field has multiple possible formats, you can do this:
+  #
+  #     match => [ "logdate", "MMM dd YYY HH:mm:ss",
+  #               "MMM  d YYY HH:mm:ss", "ISO8601" ]
+  #
+  # The above will match a syslog (rfc3164) or iso8601 timestamp.
+  #
+  # There are a few special exceptions. The following format literals exist
+  # to help you save time and ensure correctness of date parsing.
+  #
+  # * "ISO8601" - should parse any valid ISO8601 timestamp, such as
+  #   2011-04-19T03:44:01.103Z
+  # * "UNIX" - will parse unix time in seconds since epoch
+  # * "UNIX_MS" - will parse unix time in milliseconds since epoch
+  # * "TAI64N" - will parse tai64n time values
+  #
+  # For example, if you have a field 'logdate', with a value that looks like
+  # 'Aug 13 2010 00:03:44', you would use this configuration:
+  #
+  #     filter {
+  #       date {
+  #         match => [ "logdate", "MMM dd YYYY HH:mm:ss" ]
+  #       }
+  #     }
+  #
+  # If your field is nested in your structure, you can use the nested
+  # syntax [foo][bar] to match its value. For more information, please refer to
+  # http://logstash.net/docs/latest/configuration#fieldreferences
+  config :match, :validate => :array, :default => []
+
+  # Store the matching timestamp into the given target field.  If not provided,
+  # default to updating the @timestamp field of the event.
+  config :target, :validate => :string, :default => "@timestamp"
+
+  # LOGSTASH-34
+  DATEPATTERNS = %w{ y d H m s S }
+
+  public
+  def initialize(config = {})
+    super
+
+    @parsers = Hash.new { |h,k| h[k] = [] }
+  end # def initialize
+
+  public
+  def register
+    require "java"
+    if @match.length < 2
+      raise LogStash::ConfigurationError, I18n.t("logstash.agent.configuration.invalid_plugin_register",
+        :plugin => "filter", :type => "date",
+        :error => "The match setting should contains first a field name and at least one date format, current value is #{@match}")
+    end
+
+    locale = nil
+    if @locale
+      if @locale.include? '_'
+        @logger.warn("Date filter now use BCP47 format for locale, replacing underscore with dash")
+        @locale.gsub!('_','-')
+      end
+      locale = java.util.Locale.forLanguageTag(@locale)
+    end
+    setupMatcher(@config["match"].shift, locale, @config["match"] )
+  end
+
+  def setupMatcher(field, locale, value)
+    value.each do |format|
+      parsers = []
+      case format
+        when "ISO8601"
+          iso_parser = org.joda.time.format.ISODateTimeFormat.dateTimeParser
+          if @timezone
+            iso_parser = iso_parser.withZone(org.joda.time.DateTimeZone.forID(@timezone))
+          else
+            iso_parser = iso_parser.withOffsetParsed
+          end
+          parsers << lambda { |date| iso_parser.parseMillis(date) }
+          #Fall back solution of almost ISO8601 date-time
+          almostISOparsers = [
+            org.joda.time.format.DateTimeFormat.forPattern("yyyy-MM-dd HH:mm:ss.SSSZ").getParser(),
+            org.joda.time.format.DateTimeFormat.forPattern("yyyy-MM-dd HH:mm:ss.SSS").getParser()
+          ].to_java(org.joda.time.format.DateTimeParser)
+          joda_parser = org.joda.time.format.DateTimeFormatterBuilder.new.append( nil, almostISOparsers ).toFormatter()
+          if @timezone
+            joda_parser = joda_parser.withZone(org.joda.time.DateTimeZone.forID(@timezone))
+          else
+            joda_parser = joda_parser.withOffsetParsed
+          end
+          parsers << lambda { |date| joda_parser.parseMillis(date) }
+        when "UNIX" # unix epoch
+          parsers << lambda do |date|
+            raise "Invalid UNIX epoch value '#{date}'" unless /^\d+(?:\.\d+)?$/ === date || date.is_a?(Numeric)
+            (date.to_f * 1000).to_i
+          end
+        when "UNIX_MS" # unix epoch in ms
+          parsers << lambda do |date|
+            raise "Invalid UNIX epoch value '#{date}'" unless /^\d+$/ === date || date.is_a?(Numeric)
+            date.to_i
+          end
+        when "TAI64N" # TAI64 with nanoseconds, -10000 accounts for leap seconds
+          parsers << lambda do |date| 
+            # Skip leading "@" if it is present (common in tai64n times)
+            date = date[1..-1] if date[0, 1] == "@"
+            return (date[1..15].hex * 1000 - 10000)+(date[16..23].hex/1000000)
+          end
+        else
+          joda_parser = org.joda.time.format.DateTimeFormat.forPattern(format).withDefaultYear(Time.new.year)
+          if @timezone
+            joda_parser = joda_parser.withZone(org.joda.time.DateTimeZone.forID(@timezone))
+          else
+            joda_parser = joda_parser.withOffsetParsed
+          end
+          if (locale != nil)
+            joda_parser = joda_parser.withLocale(locale)
+          end
+          parsers << lambda { |date| joda_parser.parseMillis(date) }
+      end
+
+      @logger.debug("Adding type with date config", :type => @type,
+                    :field => field, :format => format)
+      @parsers[field] << {
+        :parser => parsers,
+        :format => format
+      }
+    end
+  end
+
+  # def register
+
+  public
+  def filter(event)
+    @logger.debug? && @logger.debug("Date filter: received event", :type => event["type"])
+    return unless filter?(event)
+    @parsers.each do |field, fieldparsers|
+      @logger.debug? && @logger.debug("Date filter looking for field",
+                                      :type => event["type"], :field => field)
+      next unless event.include?(field)
+
+      fieldvalues = event[field]
+      fieldvalues = [fieldvalues] if !fieldvalues.is_a?(Array)
+      fieldvalues.each do |value|
+        next if value.nil?
+        begin
+          epochmillis = nil
+          success = false
+          last_exception = RuntimeError.new "Unknown"
+          fieldparsers.each do |parserconfig|
+            parserconfig[:parser].each do |parser|
+              begin
+                epochmillis = parser.call(value)
+                success = true
+                break # success
+              rescue StandardError, JavaException => e
+                last_exception = e
+              end
+            end # parserconfig[:parser].each
+            break if success
+          end # fieldparsers.each
+
+          raise last_exception unless success
+
+          # Convert joda DateTime to a ruby Time
+          event[@target] = LogStash::Timestamp.at(epochmillis / 1000, (epochmillis % 1000) * 1000)
+
+          @logger.debug? && @logger.debug("Date parsing done", :value => value, :timestamp => event[@target])
+          filter_matched(event)
+        rescue StandardError, JavaException => e
+          @logger.warn("Failed parsing date from field", :field => field,
+                       :value => value, :exception => e)
+          # Raising here will bubble all the way up and cause an exit.
+          # TODO(sissel): Maybe we shouldn't raise?
+          # TODO(sissel): What do we do on a failure? Tag it like grok does?
+          #raise e
+        end # begin
+      end # fieldvalue.each
+    end # @parsers.each
+
+    return event
+  end # def filter
+end # class LogStash::Filters::Date

data/logstash-filter-date.gemspec

@@ -0,0 +1,28 @@
+Gem::Specification.new do |s|
+
+  s.name            = 'logstash-filter-date'
+  s.version         = '0.1.0'
+  s.licenses        = ['Apache License (2.0)']
+  s.summary         = "The date filter is used for parsing dates from fields, and then using that date or timestamp as the logstash timestamp for the event."
+  s.description     = "Convert arbitrary date format into Logstash timestamp"
+  s.authors         = ["Elasticsearch"]
+  s.email           = 'richard.pijnenburg@elasticsearch.com'
+  s.homepage        = "http://logstash.net/"
+  s.require_paths = ["lib"]
+
+  # Files
+  s.files = `git ls-files`.split($\)+::Dir.glob('vendor/*')
+
+  # Tests
+  s.test_files = s.files.grep(%r{^(test|spec|features)/})
+
+  # Special flag to let us know this is actually a logstash plugin
+  s.metadata = { "logstash_plugin" => "true", "group" => "filter" }
+
+  # Gem dependencies
+  s.add_runtime_dependency 'logstash', '>= 1.4.0', '< 2.0.0'
+  s.add_runtime_dependency 'logstash-input-generator'
+  s.add_runtime_dependency 'logstash-codec-json'
+  s.add_runtime_dependency 'logstash-output-null'
+end
+

data/rakelib/publish.rake

@@ -0,0 +1,9 @@
+require "gem_publisher"
+
+desc "Publish gem to RubyGems.org"
+task :publish_gem do |t|
+  gem_file = Dir.glob(File.expand_path('../*.gemspec',File.dirname(__FILE__))).first
+  gem = GemPublisher.publish_if_updated(gem_file, :rubygems)
+  puts "Published #{gem}" if gem
+end
+

data/rakelib/vendor.rake

@@ -0,0 +1,169 @@
+require "net/http"
+require "uri"
+require "digest/sha1"
+
+def vendor(*args)
+  return File.join("vendor", *args)
+end
+
+directory "vendor/" => ["vendor"] do |task, args|
+  mkdir task.name
+end
+
+def fetch(url, sha1, output)
+
+  puts "Downloading #{url}"
+  actual_sha1 = download(url, output)
+
+  if actual_sha1 != sha1
+    fail "SHA1 does not match (expected '#{sha1}' but got '#{actual_sha1}')"
+  end
+end # def fetch
+
+def file_fetch(url, sha1)
+  filename = File.basename( URI(url).path )
+  output = "vendor/#{filename}"
+  task output => [ "vendor/" ] do
+    begin
+      actual_sha1 = file_sha1(output)
+      if actual_sha1 != sha1
+        fetch(url, sha1, output)
+      end
+    rescue Errno::ENOENT
+      fetch(url, sha1, output)
+    end
+  end.invoke
+
+  return output
+end
+
+def file_sha1(path)
+  digest = Digest::SHA1.new
+  fd = File.new(path, "r")
+  while true
+    begin
+      digest << fd.sysread(16384)
+    rescue EOFError
+      break
+    end
+  end
+  return digest.hexdigest
+ensure
+  fd.close if fd
+end
+
+def download(url, output)
+  uri = URI(url)
+  digest = Digest::SHA1.new
+  tmp = "#{output}.tmp"
+  Net::HTTP.start(uri.host, uri.port, :use_ssl => (uri.scheme == "https")) do |http|
+    request = Net::HTTP::Get.new(uri.path)
+    http.request(request) do |response|
+      fail "HTTP fetch failed for #{url}. #{response}" if [200, 301].include?(response.code)
+      size = (response["content-length"].to_i || -1).to_f
+      count = 0
+      File.open(tmp, "w") do |fd|
+        response.read_body do |chunk|
+          fd.write(chunk)
+          digest << chunk
+          if size > 0 && $stdout.tty?
+            count += chunk.bytesize
+            $stdout.write(sprintf("\r%0.2f%%", count/size * 100))
+          end
+        end
+      end
+      $stdout.write("\r      \r") if $stdout.tty?
+    end
+  end
+
+  File.rename(tmp, output)
+
+  return digest.hexdigest
+rescue SocketError => e
+  puts "Failure while downloading #{url}: #{e}"
+  raise
+ensure
+  File.unlink(tmp) if File.exist?(tmp)
+end # def download
+
+def untar(tarball, &block)
+  require "archive/tar/minitar"
+  tgz = Zlib::GzipReader.new(File.open(tarball))
+  # Pull out typesdb
+  tar = Archive::Tar::Minitar::Input.open(tgz)
+  tar.each do |entry|
+    path = block.call(entry)
+    next if path.nil?
+    parent = File.dirname(path)
+    
+    mkdir_p parent unless File.directory?(parent)
+
+    # Skip this file if the output file is the same size
+    if entry.directory?
+      mkdir path unless File.directory?(path)
+    else
+      entry_mode = entry.instance_eval { @mode } & 0777
+      if File.exists?(path)
+        stat = File.stat(path)
+        # TODO(sissel): Submit a patch to archive-tar-minitar upstream to
+        # expose headers in the entry.
+        entry_size = entry.instance_eval { @size }
+        # If file sizes are same, skip writing.
+        next if stat.size == entry_size && (stat.mode & 0777) == entry_mode
+      end
+      puts "Extracting #{entry.full_name} from #{tarball} #{entry_mode.to_s(8)}"
+      File.open(path, "w") do |fd|
+        # eof? check lets us skip empty files. Necessary because the API provided by
+        # Archive::Tar::Minitar::Reader::EntryStream only mostly acts like an
+        # IO object. Something about empty files in this EntryStream causes
+        # IO.copy_stream to throw "can't convert nil into String" on JRuby
+        # TODO(sissel): File a bug about this.
+        while !entry.eof?
+          chunk = entry.read(16384)
+          fd.write(chunk)
+        end
+          #IO.copy_stream(entry, fd)
+      end
+      File.chmod(entry_mode, path)
+    end
+  end
+  tar.close
+  File.unlink(tarball) if File.file?(tarball)
+end # def untar
+
+def ungz(file)
+
+  outpath = file.gsub('.gz', '')
+  tgz = Zlib::GzipReader.new(File.open(file))
+  begin
+    File.open(outpath, "w") do |out|
+      IO::copy_stream(tgz, out)
+    end
+    File.unlink(file)
+  rescue
+    File.unlink(outpath) if File.file?(outpath)
+   raise
+  end
+  tgz.close
+end
+
+desc "Process any vendor files required for this plugin"
+task "vendor" do |task, args|
+
+  @files.each do |file| 
+    download = file_fetch(file['url'], file['sha1'])
+    if download =~ /.tar.gz/
+      prefix = download.gsub('.tar.gz', '').gsub('vendor/', '')
+      untar(download) do |entry|
+        if !file['files'].nil?
+          next unless file['files'].include?(entry.full_name.gsub(prefix, ''))
+          out = entry.full_name.split("/").last
+        end
+        File.join('vendor', out)
+      end
+    elsif download =~ /.gz/
+      ungz(download)
+    end
+  end
+
+end

data/spec/filters/date_spec.rb

@@ -0,0 +1,422 @@
+require "spec_helper"
+require "logstash/filters/date"
+
+puts "Skipping date performance tests because this ruby is not jruby" if RUBY_ENGINE != "jruby"
+RUBY_ENGINE == "jruby" and describe LogStash::Filters::Date do
+
+  describe "giving an invalid match config, raise a configuration error" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "mydate"]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    sample "not_really_important" do
+      insist {subject}.raises LogStash::ConfigurationError
+    end
+
+  end
+
+  describe "parsing with ISO8601" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "mydate", "ISO8601" ]
+          locale => "en"
+          timezone => "UTC"
+        }
+      }
+    CONFIG
+
+    times = {
+      "2001-01-01T00:00:00-0800"         => "2001-01-01T08:00:00.000Z",
+      "1974-03-02T04:09:09-0800"         => "1974-03-02T12:09:09.000Z",
+      "2010-05-03T08:18:18+00:00"        => "2010-05-03T08:18:18.000Z",
+      "2004-07-04T12:27:27-00:00"        => "2004-07-04T12:27:27.000Z",
+      "2001-09-05T16:36:36+0000"         => "2001-09-05T16:36:36.000Z",
+      "2001-11-06T20:45:45-0000"         => "2001-11-06T20:45:45.000Z",
+      "2001-12-07T23:54:54Z"             => "2001-12-07T23:54:54.000Z",
+
+      # TODO: This test assumes PDT
+      #"2001-01-01T00:00:00.123"          => "2001-01-01T08:00:00.123Z",
+
+      "2010-05-03T08:18:18.123+00:00"    => "2010-05-03T08:18:18.123Z",
+      "2004-07-04T12:27:27.123-04:00"    => "2004-07-04T16:27:27.123Z",
+      "2001-09-05T16:36:36.123+0700"     => "2001-09-05T09:36:36.123Z",
+      "2001-11-06T20:45:45.123-0000"     => "2001-11-06T20:45:45.123Z",
+      "2001-12-07T23:54:54.123Z"         => "2001-12-07T23:54:54.123Z",
+
+      #Almost ISO8601 support, with timezone
+
+      "2001-11-06 20:45:45.123-0000"     => "2001-11-06T20:45:45.123Z",
+      "2001-12-07 23:54:54.123Z"         => "2001-12-07T23:54:54.123Z",
+
+      #Almost ISO8601 support, without timezone
+
+      "2001-11-06 20:45:45.123"     => "2001-11-06T20:45:45.123Z",
+
+    }
+
+    times.each do |input, output|
+      sample("mydate" => input) do
+        begin
+          insist { subject["mydate"] } == input
+          insist { subject["@timestamp"].time } == Time.iso8601(output).utc
+        rescue
+          #require "pry"; binding.pry
+          raise
+        end
+      end
+    end # times.each
+  end
+
+  describe "parsing with java SimpleDateFormat syntax" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "mydate", "MMM dd HH:mm:ss Z" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    now = Time.now
+    year = now.year
+    require 'java'
+
+    times = {
+      "Nov 24 01:29:01 -0800" => "#{year}-11-24T09:29:01.000Z",
+    }
+    times.each do |input, output|
+      sample("mydate" => input) do
+        insist { subject["mydate"] } == input
+        insist { subject["@timestamp"].time } == Time.iso8601(output).utc
+      end
+    end # times.each
+  end
+
+  describe "parsing with UNIX" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "mydate", "UNIX" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    times = {
+      "0"          => "1970-01-01T00:00:00.000Z",
+      "1000000000" => "2001-09-09T01:46:40.000Z",
+
+      # LOGSTASH-279 - sometimes the field is a number.
+      0          => "1970-01-01T00:00:00.000Z",
+      1000000000 => "2001-09-09T01:46:40.000Z"
+    }
+    times.each do |input, output|
+      sample("mydate" => input) do
+        insist { subject["mydate"] } == input
+        insist { subject["@timestamp"].time } == Time.iso8601(output).utc
+      end
+    end # times.each
+
+    #Invalid value should not be evaluated to zero (String#to_i madness)
+    sample("mydate" => "%{bad_value}") do
+      insist { subject["mydate"] } == "%{bad_value}"
+      insist { subject["@timestamp"] } != Time.iso8601("1970-01-01T00:00:00.000Z").utc
+    end
+  end
+
+  describe "parsing microsecond-precise times with UNIX (#213)" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "mydate", "UNIX" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    sample("mydate" => "1350414944.123456") do
+      # Joda time only supports milliseconds :\
+      insist { subject.timestamp.time } == Time.iso8601("2012-10-16T12:15:44.123-07:00").utc
+    end
+
+    #Support float values
+    sample("mydate" => 1350414944.123456) do
+      insist { subject["mydate"] } == 1350414944.123456
+      insist { subject["@timestamp"].time } == Time.iso8601("2012-10-16T12:15:44.123-07:00").utc
+    end
+
+    #Invalid value should not be evaluated to zero (String#to_i madness)
+    sample("mydate" => "%{bad_value}") do
+      insist { subject["mydate"] } == "%{bad_value}"
+      insist { subject["@timestamp"] } != Time.iso8601("1970-01-01T00:00:00.000Z").utc
+    end
+  end
+
+  describe "parsing with UNIX_MS" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "mydate", "UNIX_MS" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    times = {
+      "0"          => "1970-01-01T00:00:00.000Z",
+      "456"          => "1970-01-01T00:00:00.456Z",
+      "1000000000123" => "2001-09-09T01:46:40.123Z",
+
+      # LOGSTASH-279 - sometimes the field is a number.
+      0          => "1970-01-01T00:00:00.000Z",
+      456          => "1970-01-01T00:00:00.456Z",
+      1000000000123 => "2001-09-09T01:46:40.123Z"
+    }
+    times.each do |input, output|
+      sample("mydate" => input) do
+        insist { subject["mydate"] } == input
+        insist { subject["@timestamp"].time } == Time.iso8601(output)
+      end
+    end # times.each
+  end
+
+  describe "failed parses should not cause a failure (LOGSTASH-641)" do
+    config <<-'CONFIG'
+      input {
+        generator {
+          lines => [
+            '{ "mydate": "this will not parse" }',
+            '{ }'
+          ]
+          codec => json
+          type => foo
+          count => 1
+        }
+      }
+      filter {
+        date {
+          match => [ "mydate", "MMM  d HH:mm:ss", "MMM dd HH:mm:ss" ]
+          locale => "en"
+        }
+      }
+      output {
+        null { }
+      }
+    CONFIG
+
+    agent do
+      # nothing to do, if this crashes it's an error..
+    end
+  end
+
+  describe "TAI64N support" do
+    config <<-'CONFIG'
+      filter {
+        date {
+          match => [ "t",  TAI64N ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    # Try without leading "@"
+    sample("t" => "4000000050d506482dbdf024") do
+      insist { subject.timestamp.time } == Time.iso8601("2012-12-22T01:00:46.767Z").utc
+    end
+
+    # Should still parse successfully if it's a full tai64n time (with leading
+    # '@')
+    sample("t" => "@4000000050d506482dbdf024") do
+      insist { subject.timestamp.time } == Time.iso8601("2012-12-22T01:00:46.767Z").utc
+    end
+  end
+
+  describe "accept match config option with hash value (LOGSTASH-735)" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "mydate", "ISO8601" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    time = "2001-09-09T01:46:40.000Z"
+
+    sample("mydate" => time) do
+      insist { subject["mydate"] } == time
+      insist { subject["@timestamp"].time } == Time.iso8601(time).utc
+    end
+  end
+
+  describe "support deep nested field access" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "[data][deep]", "ISO8601" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    sample("data" => { "deep" => "2013-01-01T00:00:00.000Z" }) do
+      insist { subject["@timestamp"].time } == Time.iso8601("2013-01-01T00:00:00.000Z").utc
+    end
+  end
+
+  describe "failing to parse should not throw an exception" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "thedate", "yyyy/MM/dd" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    sample("thedate" => "2013/Apr/21") do
+      insist { subject["@timestamp"] } != "2013-04-21T00:00:00.000Z"
+    end
+  end
+
+   describe "success to parse should apply on_success config(add_tag,add_field...)" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "thedate", "yyyy/MM/dd" ]
+          add_tag => "tagged"
+        }
+      }
+    CONFIG
+
+    sample("thedate" => "2013/04/21") do
+      insist { subject["@timestamp"] } != "2013-04-21T00:00:00.000Z"
+      insist { subject["tags"] } == ["tagged"]
+    end
+  end
+
+   describe "failing to parse should not apply on_success config(add_tag,add_field...)" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "thedate", "yyyy/MM/dd" ]
+          add_tag => "tagged"
+        }
+      }
+    CONFIG
+
+    sample("thedate" => "2013/Apr/21") do
+      insist { subject["@timestamp"] } != "2013-04-21T00:00:00.000Z"
+      insist { subject["tags"] } == nil
+    end
+  end
+
+  describe "parsing with timezone parameter" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => ["mydate", "yyyy MMM dd HH:mm:ss"]
+          locale => "en"
+          timezone => "America/Los_Angeles"
+        }
+      }
+    CONFIG
+
+    require 'java'
+    times = {
+      "2013 Nov 24 01:29:01" => "2013-11-24T09:29:01.000Z",
+      "2013 Jun 24 01:29:01" => "2013-06-24T08:29:01.000Z",
+    }
+    times.each do |input, output|
+      sample("mydate" => input) do
+        insist { subject["mydate"] } == input
+        insist { subject["@timestamp"].time } == Time.iso8601(output).utc
+      end
+    end # times.each
+  end
+
+  describe "LOGSTASH-34 - Default year should be this year" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "message", "EEE MMM dd HH:mm:ss" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    sample "Sun Jun 02 20:38:03" do
+      insist { subject["@timestamp"].year } == Time.now.year
+    end
+  end
+
+  describe "Supporting locale only" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "message", "dd MMMM yyyy" ]
+          locale => "fr"
+          timezone => "UTC"
+        }
+      }
+    CONFIG
+
+    sample "14 juillet 1789" do
+      insist { subject["@timestamp"].time } == Time.iso8601("1789-07-14T00:00:00.000Z").utc
+    end
+  end
+
+  describe "Supporting locale+country in BCP47" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "message", "dd MMMM yyyy" ]
+          locale => "fr-FR"
+          timezone => "UTC"
+        }
+      }
+    CONFIG
+
+    sample "14 juillet 1789" do
+      insist { subject["@timestamp"].time } == Time.iso8601("1789-07-14T00:00:00.000Z").utc
+    end
+  end
+
+  describe "Supporting locale+country in POSIX (internally replace '_' by '-')" do
+    config <<-CONFIG
+      filter {
+        date {
+          match => [ "message", "dd MMMM yyyy" ]
+          locale => "fr_FR"
+          timezone => "UTC"
+        }
+      }
+    CONFIG
+
+    sample "14 juillet 1789" do
+      insist { subject["@timestamp"].time } == Time.iso8601("1789-07-14T00:00:00.000Z").utc
+    end
+  end
+
+  describe "http dates" do
+
+    config <<-'CONFIG'
+      filter {
+        date {
+          match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss Z" ]
+          locale => "en"
+        }
+      }
+    CONFIG
+
+    sample("timestamp" => "25/Mar/2013:20:33:56 +0000") do
+      insist { subject["@timestamp"].time } == Time.iso8601("2013-03-25T20:33:56.000Z")
+    end
+  end
+end

metadata

@@ -0,0 +1,118 @@
+--- !ruby/object:Gem::Specification
+name: logstash-filter-date
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Elasticsearch
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-11-05 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: logstash
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 1.4.0
+    - - <
+      - !ruby/object:Gem::Version
+        version: 2.0.0
+- !ruby/object:Gem::Dependency
+  name: logstash-input-generator
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-codec-json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: logstash-output-null
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Convert arbitrary date format into Logstash timestamp
+email: richard.pijnenburg@elasticsearch.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- Gemfile
+- LICENSE
+- Rakefile
+- lib/logstash/filters/date.rb
+- logstash-filter-date.gemspec
+- rakelib/publish.rake
+- rakelib/vendor.rake
+- spec/filters/date_spec.rb
+homepage: http://logstash.net/
+licenses:
+- Apache License (2.0)
+metadata:
+  logstash_plugin: 'true'
+  group: filter
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.1
+signing_key: 
+specification_version: 4
+summary: The date filter is used for parsing dates from fields, and then using that
+  date or timestamp as the logstash timestamp for the event.
+test_files:
+- spec/filters/date_spec.rb