Hi, i use the elk stack and i have machines in utc time, machines in pst time and some in eastern time. I wanted to know how you guys deal with this with your elk stack. (btw, i can't put everything in utc)
Even when i use the timezone option in the date filters, it doesn't look like it's working. Everything gets the 000 value
In Kibana everything is shown in the same timezone (utc).
ex:
date {
match => [ "syslog_timestamp", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "MMM dd yyyy HH:mm:ss", "MMM d yyyy HH:mm:ss", "MMM d HH:mm:ss" ]
timezone => "America/Montreal"
}
In Kibana, i'm based on the timestamp when searching for data.
Thanks for the help
Even when i use the timezone option in the date filters, it doesn't look like it's working. Everything gets the 000 value
Huh? Do you mean the "000Z" that the timestamp string ends with? That just means that the millisecond part is zero and that the timestamp is in UTC. If that's not what you meant, please be more specific.
Yes, the timestamp is "@timestamp": "2015-12-14T18:40:01.000Z"
even with the specification of the timezone option:
timezone => "America/Montreal"
In fact, maybe i'm not understanding it well, but is specifying the timezone going to help when i search my data in Kibana?
The timestamp is always converted to UTC for storage in Elasticsearch, and if your timestamp don't contain a timezone offset you need to explicitly configure what timezone should be used for the conversion to UTC. The trailing "Z" indicates that it's UTC. Kibana will adjust the stored UTC timestamps to the browser's local time.