Getting @timestamp value in Server's timezone, not UTC


(Anirban Sen) #1

Hi,

My log-line looks like:
12.170.89.115 [22/Aug/2017:00:08:11 -0400] "GET /home.html HTTP/1.1" 200 714 13818 - (-) "-" "Java/1.5.0"

And the grok filter is:
grok {
match => {
"message" => '%{IPORHOST:clientip} [%{MONTHDAY:day}/%{MONTH:month}/%{YEAR:year}:%{TIME:time} %{INT:timezone}] "%{NOTSPACE:method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:httpversion}" %{NOTSPACE:status} %{NOTSPACE:size} %{NUMBER:responsetime:int} %{NOTSPACE:hostname} %{NOTSPACE:ratio} %{QS:referrer} %{QS:agent}'
}
}

mutate {
add_field => {
"timestamp" => "%{mday}/%{month}/%{year}:%{time}"
}
}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss" ]
timezone => "America/Aruba"
}

Result: @timestamp": "2017-08-22T04:08:11.000Z

But,
GOAL is to get the @timestamp value in the server timezone;i.e, "@timestamp": "2017-08-21T20:08:11.000Z"

To achieve this I have changed the timezone to "Asia/Dubai" which is actually +0400 and not -0400.
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss" ]
timezone => "Asia/Dubai"
}

Is this a correct way to do?? Is there any better alternative for this?
Please suggest.


(Christian Dahlqvist) #2

Elasticsearch and the rest of the stack requires timestamp fields to be in UTC, so trying to force it into something else will cause problems.


(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.