Creation date of logstash created files, with %{+YYYY.MM.dd} in the name, is offset by few hours

Elastic Stack Logstash
1

Logstash sends all unprocessed leftovers into a separate .log file for archiving purposes

output{
file {
path => "/var/log/logstash/archive-%{+YYYY.MM.dd}.log"
}
}
The problem is that logstash additionally offsets the date (at least I assume it does) by my timezone (Etc/GMT-5, +5:00), so instead of starting to write in the new file at midnight it only does so at 5 in the morning.
Is it possible to add manual offset by minus 5 hours or I have to add usage of ruby in the config file to receive local time and use it for the name instead?

2

This is UTC.

You can do an offset, but it's a little bit hacky via a filter. Consider (I used per-hour, just take away the .%H / .HH to make it per day)

# echo '{"message":"test from bash"}' > /dev/tcp/localhost/5514

# ls -ltr /var/log/logstash/logstash-archive-*
-rw-r--r-- 1 logstash logstash 118 Feb 11 11:28 /var/log/logstash/logstash-archive-utctime-2026.02.11.10.log
-rw-r--r-- 1 logstash logstash 118 Feb 11 11:28 /var/log/logstash/logstash-archive-loctime-2026.02.11.11.log

# date
Wed Feb 11 11:29:21 AM CET 2026

# date --utc
Wed Feb 11 10:29:30 AM UTC 2026

# cat /etc/logstash/conf.d/pipeline.conf
input {
  tcp {
    port => 5514
    codec => json
  }
}

filter {
  ruby {
    code => "
      t = event.get('@timestamp').time.localtime
      event.set('index_day', t.strftime('%Y.%m.%d.%H'))
    "
  }
}

output {
  file {
    path => "/var/log/logstash/logstash-archive-utctime-%{+YYYY.MM.dd.HH}.log"
  }
  file {
    path => "/var/log/logstash/logstash-archive-loctime-%{index_day}.log"
  }
}

# cat /var/log/logstash/logstash-archive-utctime-2026.02.11.10.log
{"@timestamp":"2026-02-11T10:28:58.245362535Z","index_day":"2026.02.11.11","message":"test from bash","@version":"1"}

# cat /var/log/logstash/logstash-archive-loctime-2026.02.11.11.log
{"@timestamp":"2026-02-11T10:28:58.245362535Z","index_day":"2026.02.11.11","message":"test from bash","@version":"1"}
1 Like
3

So I do have to add block for ruby… Ah well, cheers
cramped both lines into one event.set, Logstash is seemingly unhappy with ruby having it’s own variables
event.set('index_date', event.get('@timestamp').time.localtime.strftime('%Y.%m.%d')

4

What’s happening is that %{+YYYY.MM.dd} uses the event’s @timestamp, and that timestamp is in UTC by default. So your file rollover is based on UTC midnight, not your local time — that’s why it switches around 5 AM for you. You don’t need Ruby for this.

The cleaner fix is to make sure the event timestamp is converted to your local timezone before the file output runs. You can do that with the date filter by setting the timezone properly when parsing the timestamp, or by adjusting @timestamp to your local zone.

Another option (simpler if this is just for file naming) is to set Logstash’s JVM timezone to your local timezone instead of UTC. You can do that by adding:

-Duser.timezone=Etc/GMT-5

to your Logstash JVM options and restarting the service. That way, the date pattern in the filename will roll over at your local midnight instead of UTC. So no, you don’t need Ruby — just align Logstash’s timezone handling with your local time.

1 Like
5

Hello and welcome,

Just as information, this does not work, the @timestamp field in Logstash will always be in UTC, it doesn't matter if you change the timezone of the server or the process, it will always convert it to UTC.

In this case, the ruby approach is the way to create files with the date and/or time in local time.

2 Likes