Allow date filter to utilize timezone offset format for default timezone #146
Description
Use Case
As an Elastic Stack admin, I have logs being ingested from multiple timezones. Many of these logs do not have timezones set in the log event. I am able to include the event.timezone in the log event, by setting a processor with the beat, which then returns the timezone in the format:
{
"event": {
"timezone": "-07:00"
}
}However I am unable to use that timezone information directly in the date filter when parsing the date.
Desired Outcome
The date filter documentation states:
This field can be dynamic and include parts of the event using the
%{field}syntax
However, the date filter requires a Joda-formatted timezone, so the following fails:
date {
match => [ "[@metadata][_timestamp]", "MMM dd, yyyy H:mm:ss a" ]
timezone => "%{[event][timezone]}"
target => "@timestamp"
}
Please allow the timezone parameter to also accept an offset format, in addition to the Joda format or add a second, mutually-exclusive parameter timezone_offset, which accomplishes the same thing.