EET Time converted to UTC....... why?

sunilmchaudhari · June 2, 2017, 6:52am

Hi,
I have below configuration to logstash indexer.

 grok {
                 match => { "message" => "%{TIMESTAMP_ISO8601:logTime}" }
         }

log message:
2017-06-02 08:28:59,335 | INFO acknowledgeMessages Acknowledging 1 messages up to message id ID:43bf1b4f-59c7-311d-a661-fe4978998ac3

As per the indexer configuration, expected logTime field value should be : 2017-06-02 08:28:59,335

However, When I get query, it shows 2017-06-02T05:28:59.335Z. Exactly 3 hours less than actual time. All the servers are in same timezone. Logstash/elasticsearc/Kibana browser

"_source":
                {
                    "@timestamp": "2017-06-02T05:29:04.072Z",
                    "Application": "myApp",
                   "beat":
                    {
                    },
                    "count": 1,
                    "message": "2017-06-02 08:28:59,335 | INFO  acknowledgeMessages Acknowledging 1 messages up to message id ID:43bf1b4f-59c7-311d-a661-fe4978998ac3.",
                    "offset": 820439,
                    "source": "/var/log//wrapper_20170602.log",
                    "type": "info",
                    "@version": "1",
                    **"logTime": "2017-06-02T05:28:59.335Z"**
                }

its not problem for KIbana. In Kibana it shows me correct value as expected: 2017-06-02 08:28:59,335
Its creating problem for me when I set up elastalert over it. When I receive an email from elastalert, it shows the time stored in ES.
logTime: 2017-06-02T05:28:59.335Z. This creates confusion to the recipient, because actual timestamp is message is "2017-06-02 08:28:59,335" and it shows 3 hours less than it.
Can anybody tell me whats happening over here? What changes I have to do?

warkolm · June 2, 2017, 7:04am

LS and ES assume UTC.
If you want to change that then use a date filter and set the TZ accordingly.

sunilmchaudhari · June 2, 2017, 7:49am

Hi,
Thanks for comment.
Change in elastalert code solved my problem.
I made elastalert to behave like kibana This made possible to change logTime back to local timezone from UTC.

Cheers,
Sunil.

warkolm · June 2, 2017, 7:50am

Not really, you've just shifted it somewhere else!

sunilmchaudhari · June 2, 2017, 7:50am

Oh!
Can you please elaborate?

warkolm · June 2, 2017, 8:00am

Like I said, ES and LS work off UTC.
If you integrate anything else into ES then you have to tell it that the time it is receiving is not UTC. So all you have done is shift the problem onto this client and any future ones.

system · June 30, 2017, 8:01am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.