Getting 5 - 6 hours of data delay while extracting data from elastic search into kibana dev tools/console

suraj888 · January 7, 2020, 6:47am

Dear All,

I am new to ELK and i apologize in advance for my question.
I am trying to extract data from one of the index of elasticsearch to kibana dev tools, through query but i am getting data delay for nearly about 5-6 hours. While visualizing on the kibana dashboard it is showing correct data but in kibana dev tool/console it is showing 5-6 hours data dalay.
I have used metricbeat to send data to elastic search.
Can anyone please help me to understand why i am not able to get the current data on dev tool/console.

Thanks in advance

tsullivan · January 8, 2020, 5:12pm

Looking at the data in Dev Tools Console just shows you the raw data values that are in the documents.

When you look at the data in a Kibana visualization, the times will be formatted to a time zone of your choosing, that is configured in Advanced Settings.

Where to start looking is, when the data was stored in Elasticsearch, what time zone was it formatted with? If it was formatted as UTC for example, then in Kibana you'll want to go to that Advanced Setting and change it to UTC.

elasticforme · January 8, 2020, 9:10pm

man this timezone thing has bug me for so long. so confusing. sorry for rant.

But Tim is on spot. data is saved in UTC format by default and Kibana converts is back to your timezone.

but dev tool do not do that.

suraj888 · January 13, 2020, 6:12am

ok..Thanks Tim

suraj888 · January 13, 2020, 11:49am

I tried changing the time zone from UTC to Asia/kolkata, but still getting same issue.
When changed time zone to Asia/kolkata it show correct data on discover tab, but when changed to UTC it shows 5+ hours of delay in both dev console and discover tab.
I have also tried to check the logs in elasticsearh to check whether there was some issue while storing the data, but in /var/lib/elasticsearch folder the logs is in the encrypted format.

Could you please help me to know what are the step that needs to be corrected, so that i can get the desired output.

elasticforme · January 14, 2020, 2:35pm

I have not found the solution for it yet.
saving data in to timezone=> "whatever" and use same timezone in kibana.

but yes kibana shows X+ time on bar. have no clue how to fix it yet

tsullivan · January 14, 2020, 8:12pm

That's because midnight in Asia is not midnight in UTC. It sounds like you are located in a region that is 5 hours ahead of UTC.

Typically engineers want the source data to be timestamped in UTC because you can always convert it to another timezone when you display it. That allows colleagues in multiple time zones to synchronize and see the same events at the same time, in their local time.

When you look at raw data, it's not converted. That's what "raw" means.

system · February 11, 2020, 8:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.