Changing the date Filter to get exact same timestamp in kibana as in log

Hi, My log looks like below:

www.xyz.com 100.181.12.41 - - [04/Dec/2013:07:35:39 -0600] "GET /abc/images/someimage.png HTTP/1.1" 200

My Grok filter is as below:

grok {
match => {
"message" => '%{NOTSPACE:domainname} %{IPORHOST:clientip} %{NOTSPACE:username} %{NOTSPACE:auth} [%{HTTPDATE:timestamp}] "%{NOTSPACE:method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:httpversion}" %{NOTSPACE:status}'
}
}

And Date filter:

date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss Z" ]
timezone => "America/Chicago"
}

But, after processing the record, in Kibana the @timestamp is "December 4th 2013, 19:05:43.000"

I want it to be "December 4th 2013, 07:35:39.000" . What changes do I need to make? Please suggest.

Is the actual timestamp in @timestamp correct and in UTC? What's the timezone of the computer where your browser runs?

Hi, Thanks for the response.

In Kibana @timestamp was not coming correctly. And, the browser's timezone is +0530 .

But, with the below date filter I got the desired result:

date{
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss -0600" ]
}

Is this the correct way to do this?

By default Kibana adjusts the UTC timestamps stored in ES to the browser's timezone. If you don't want that the proper solution is to change Kibana's configuration (Settings -> Advanced, at least in Kibana 4) to use a specific timezone (UTC-6 in this case). Do not attempt to work around the problem by storing anything but UTC in Elasticsearch.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.