Logstash grok日期解析失败

用这个过滤器

filter
{
  grok{
    match => { "message" => "\[(?<timestamp>%{MONTHDAY}-%{MONTH}-%{YEAR} %{TIME} %{TZ})\] %{DATA:errortype}: %{GREEDYDATA:errormessage}"}
  }
  date {
    match => [ "timestamp" , "dd-MMM-YYYY HH:mm:ss Z" ]
    #remove_field => ["timestamp"]
  }
}

我的约会失败了

使用-debug，一切似乎都正常，我只有这个日志

[2018-07-09T08:38:32,925][DEBUG][logstash.inputs.file     ] Received line {:path=>"/tmp/request.log", :text=>"[04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array or an o
bject that implements Countable in xxx/program.php on line 508"}
[2018-07-09T08:38:32,941][DEBUG][logstash.inputs.file     ] writing sincedb (delta since last write = 1531118312)
[2018-07-09T08:38:32,948][DEBUG][logstash.pipeline        ] filter received {"event"=>{"@version"=>"1", "host"=>"guillaume", "path"=>"/tmp/request.log", "@timestamp"=>2018-07-09T06:38:32.939Z, "
message"=>"[04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in xxx.php on line 508"}}
[2018-07-09T08:38:32,949][DEBUG][logstash.filters.grok    ] Running grok filter {:event=>2018-07-09T06:38:32.939Z guillaume [04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an
 array or an object that implements Countable in xxx/program.php on line 508}
[2018-07-09T08:38:32,950][DEBUG][logstash.filters.grok    ] Event now:  {:event=>2018-07-09T06:38:32.939Z guillaume [04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array o
r an object that implements Countable in xxx.php on line 508}
[2018-07-09T08:38:32,954][DEBUG][logstash.pipeline        ] output received {"event"=>{"errormessage"=>" count(): Parameter must be an array or an object that implements Countable xxx.php on line 508", "path"=>"/tmp/request.log", "errortype"=>"PHP Warning", "@timestamp"=>2018-07-09T06:
38:32.939Z, "@version"=>"1", "host"=>"guillaume", "message"=>"[04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in xxx.php on line 508", "timestamp"=>"04-Jul-2018 15:28:02 UTC", "tags"=>["_dateparsefailure"]}}

将

YYYY

更改为

yyy

并将

Z

更改为

Z

有关日期格式的更多详细信息，请参阅以下页面：->

[2018-07-09T08:38:32,925][DEBUG][logstash.inputs.file     ] Received line {:path=>"/tmp/request.log", :text=>"[04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array or an o
bject that implements Countable in xxx/program.php on line 508"}
[2018-07-09T08:38:32,941][DEBUG][logstash.inputs.file     ] writing sincedb (delta since last write = 1531118312)
[2018-07-09T08:38:32,948][DEBUG][logstash.pipeline        ] filter received {"event"=>{"@version"=>"1", "host"=>"guillaume", "path"=>"/tmp/request.log", "@timestamp"=>2018-07-09T06:38:32.939Z, "
message"=>"[04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in xxx.php on line 508"}}
[2018-07-09T08:38:32,949][DEBUG][logstash.filters.grok    ] Running grok filter {:event=>2018-07-09T06:38:32.939Z guillaume [04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an
 array or an object that implements Countable in xxx/program.php on line 508}
[2018-07-09T08:38:32,950][DEBUG][logstash.filters.grok    ] Event now:  {:event=>2018-07-09T06:38:32.939Z guillaume [04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array o
r an object that implements Countable in xxx.php on line 508}
[2018-07-09T08:38:32,954][DEBUG][logstash.pipeline        ] output received {"event"=>{"errormessage"=>" count(): Parameter must be an array or an object that implements Countable xxx.php on line 508", "path"=>"/tmp/request.log", "errortype"=>"PHP Warning", "@timestamp"=>2018-07-09T06:
38:32.939Z, "@version"=>"1", "host"=>"guillaume", "message"=>"[04-Jul-2018 15:28:02 UTC] PHP Warning:  count(): Parameter must be an array or an object that implements Countable in xxx.php on line 508", "timestamp"=>"04-Jul-2018 15:28:02 UTC", "tags"=>["_dateparsefailure"]}}

date {
    match => [ "timestamp" , "dd-MMM-yyyy HH:mm:ss z" ]
}