[VMware vSphere]: Date parsing error for login events when missing AM/PM

[georgessamaha]

Integration Name

VMware vSphere [vsphere]

Dataset Name

vsphere.log

Integration Version

1.18.2

Agent Version

8.18

OS Version and Architecture

Ubuntu 20.04 LTS

User Goal

Issue: Data processor is failing when we get the date as Wednesday, 16 April, 2025 11:10:33 in the VMware logs.

Parent Ingest Pipeline: logs-vsphere.log-1.18.2

Child Ingest Pipeline: logs-vsphere.log-1.18.2-login

Processor: date

{
    "date": {
      "formats": [
        "EEEE, dd MMMM, yyyy hh:mm:ss a" ],
      "field": "event.start",
      "target_field": "event.start",
      "if": "ctx.event?.start != null"
    }
  }

Event Original : Wednesday, 16 April, 2025 11:10:33 (Only Date timestamp field is providing)

Error Message:: error.message Text 'Wednesday, 16 April, 2025 11:10:33' could not be parsed at index 34
Root cause analysis: The Current processor is expecting the date with am/pm. Due to this it is failing when we get date without am/pm in the logs.

Existing Features

The Current date processor in logs-vsphere.log-1.18.2-login is expecting the date with am/pm. Due to this it is failing when we get date without am/pm in the logs.

What did you see?

Sample log:
2025-04-24T09:29:25.236Z INFO websso[74:tomcat-http--36] [CorId=6ae8edc4-79bb-4d1a-9230-4b51ffbe772a] [auditlogger] {\"user\":\"[email protected]\",\"client\":\"10.15.96.14\",\"timestamp\":\"04/24/2025 09:29:25 GMT\",\"description\":\"User [email protected]@10.15.96.14 logged in with response code 200\",\"eventSeverity\":\"INFO\",\"type\":\"com.vmware.sso.LoginSuccess\"}

The data parsing error is the one inside the message, not the syslog header:
"timestamp":"04/24/2025 09:29:25 GMT\

Anything else?

No response