Convert UNIX epoch to local time

mitabrev · April 10, 2017, 7:08am

Hi,

Hope I'm in the right section and will form the right question.

So my situation. I'm using logstash+elasticsearch+kibana for parsin some logs, CSV.

Parsing works perfectly.

I've got two date fieds, submission_time and delivery_time.
I matched the submission_time value to @timestamp and also to the same field for more human readable value.

@timestamp works perfect, correct time zone. While the submission_time and delivery_time show the UTC time.
How can I change the "type of field" to show my local time?

Currently my filter is something like that:

date
{
match => [ "submission_time","UNIX" ]
target => "submission_time"
}

date
{
match => [ "delivery_time","UNIX" ]
target => "delivery_time"
}

I've tried with addint the "timezone" field, but no success.

Can you help?

Thank you!
Mario

magnusbaeck · April 10, 2017, 7:38am

I matched the submission_time value to @timestamp and also to the same field for more human readable value.

Human readable where?

@timestamp works perfect, correct time zone. While the submission_time and delivery_time show the UTC time.

Where?

What's the mapping of the submission_time and delivery_time fields?

mitabrev · April 10, 2017, 8:29am

This is my filer in .conf file:

date {
match => ['submission_time', 'UNIX']
}

date {
match => ['submission_time', 'UNIX']
target => 'submission_time'
}

date {
match => ['delivery_time', 'UNIX']
target => 'delivery_time'
}

and my result:

@timestamp April 7th 2017, 18:33:59.000 <-- OK
submission_time 2017-04-07T16:33:59.000Z
delivery_time 2017-04-07T16:33:59.000Z

2 hour difference. I'm guessing i need to to change type of field?

BR,
Mario

magnusbaeck · April 10, 2017, 8:57am

What are the mappings of the fields in Elasticsearch? Use ES's get mapping API.

mitabrev · April 10, 2017, 10:02am

{
  "bkki-2017.04.07" : {
    "mappings" : {
      "logs" : {
        "submission_time" : {
          "full_name" : "submission_time",
          "mapping" : {
            "submission_time" : {
              "type" : "date"
            }
          }
        }
      }
    }
  }
}


  "bkki-2017.04.07" : {
    "mappings" : {
      "logs" : {
        "delivery_time" : {
          "full_name" : "delivery_time",
          "mapping" : {
            "delivery_time" : {
              "type" : "date"
            }
          }
        }
      }
    }
  }
}

magnusbaeck · April 10, 2017, 11:45am

That's surprising. I thought Kibana formatted all timestamps and not just @timestamp.

system · May 8, 2017, 11:51am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.