I'm curious when there's a pipeline with configured output like this:
index => "log-%{+YYYY.MM.dd}"
where is the date variable referring to?
the timestamp on the log, or
the timestamp of the logstash server?
if it refers to the timestamp of the logstash server, then why is there an index with no date on its name in my cluster? I've already checked the NTP on my logstash servers and everything's fine. the log inside the index may not have a timestamp but if the date in the index name refers to the server time, then it should be no problem right? The index name should still have the date on it but things are different here. what could be the problem?
As Badger said it's using @timestamp which can be sent by beats or app, if is not, LS will use UTC time from LS server.
If you have a date conversion by the date plugin, default is target=> "@timestamp" which overwrites LS local time with your matching field - in the most cases is the log time.
If you delete the @timestamp field, in some cases, the output will not have idea about time which means log-%{+YYYY.MM.dd} will create the index: log- , without the date in naming.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.