elasticsearch 6.2
logstash 6.2
filebeat 6.2
logstash conf
if [type] == "s-response"{
elasticsearch {
hosts => ["192.168.4.56:9200","192.168.15.145:9200","192.168.15.41:9200"]
index => "s-response-%{+YYYY-MM}"
user=>"elastic"
password=>"s1!"
}
stdout { codec => rubydebug }
}
and stdout is
{
"code" => "200",
"tags" => [
[0] "beats_input_codec_plain_applied",
[1] "_geoip_lookup_failure"
],
"host" => "192.168.4.231",
"spent_time" => 54,
"application" => "smap-toll-path-link",
"beat" => {
"name" => "dbs-233",
"hostname" => "dbs-233",
"version" => "6.2.3"
},
"message" => "OK",
**"date" => "2018-04-09T19:08:43.430",**
"prospector" => {
"type" => "log"
},
"offset" => 13479,
"threadName" => "http-nio-8093-exec-5",
"@version" => "1",
"loggerName" => "smap_tollgate.controller.TollgateController",
"source" => "/app/smap/toll/log/smap_toll_allpath_links.2018-04-09.log",
"applicationVersion" => "0.0.1",
"type" => "s-response",
**"@timestamp" => 2018-04-09T11:08:49.109Z,**
"level" => "INFO"
}
I found the @timestamp has been deducted 8 hours,and the date field (custom json field) had no change.
Then I search the data in es,
192.168.4.56:9200/s-response-2018-04/_search?q=date:"2018-04-09T19:08:43.430"
The result is the same with logstatsh.
But when I use kibana , the "date" (json field) had been increased 8 hours .
I create the index pattern, and chose the "date" field as "Time Filter field name".
The "date": "2018-04-09T19:08:43.430" in es
The date:April 10th 2018, 03:08:43.430 in kibana
I just want to use "date" as "Time Filter field name" and I don't want kibana to change the "date".
What should I do?
thanks a lot!