Date Custom Field Timezone

Elastic Stack Logstash
1

Dear Forum,

i have a config which is as follows:

filter {

if [type] == "nginx-default" {
    grok {
    patterns_dir => "/etc/logstash/patterns"
        match => [ "message", "%{COMBINEDAPACHELOG}" ]
    }

    date {
             match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss +0100" ]
             timezone => "CET"
             target => "logdatetime"
   }

}

When i look for example into Kibana Table, i see:

grafik

Thats correct, as the Date/Time is the same as from the origin message! But when i look into JSON i get a value which differs exact an hour:

grafik

I believe its something about timezone or such. Can anyone help to get the correct values also in the JSON view!? I dont want to correct the values in kibana for view or fields, i want to have the values corrected with logstash, while its pushed into elastic, as i process the data later.

Thanks in advance,

regards

2

@timestamp is always UTC. This isn't configurable.

3

Well, ok, but how shoould i understand those:

grafik

@Timestamp UTC:

grafik

timestamp ETC:

grafik

logdatetime UTC:

grafik

Is there no way to have logdatetime in ETC?

4

You'd have to use a ruby filter. I think examples of that have been posted in the past.

5

Hey Magnus,

i know there are examples but i cant get it to work. Can you give a hint why this is not working:

date {
match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss +0100" ]
target => "tempdate"
}

    ruby {
         	 code => "event.set('logdatetime', event.get('tempdate').time.strftime('%Y-%m-%dT%H:%M:%S +0100'))" 	
         }

grafik

grafik

6

You need to convert the timestamp to the local timezone. I don't know OTOH how to do that. Perhaps

t = event.get('tempdate').time
t.localtime('+01:00')
event.set('logdatetime', t.strftime('%Y-%m-%dT%H:%M:%S +0100'))

works.

1 Like
7

Works. Made my Day, thanks. For someone else:

date {
              	 match => [ "timestamp", "dd/MMM/yyyy:HH:mm:ss +0100" ]
                 target => "tempdate"
        }
        
        ruby {
             	 code => "
             	 t = event.get('tempdate').time
				 t.localtime('+01:00')
				 event.set('logdatetime', t.strftime('%Y-%m-%dT%H:%M:%S +0100'))
				 "	
             }
3 Likes
8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.