Hi,
My log-line looks like:
12.170.89.115 [22/Aug/2017:00:08:11 -0400] "GET /home.html HTTP/1.1" 200 714 13818 - (-) "-" "Java/1.5.0"
And the grok filter is:
grok {
match => {
"message" => '%{IPORHOST:clientip} [%{MONTHDAY:day}/%{MONTH:month}/%{YEAR:year}:%{TIME:time} %{INT:timezone}] "%{NOTSPACE:method} %{NOTSPACE:uri} HTTP/%{NOTSPACE:httpversion}" %{NOTSPACE:status} %{NOTSPACE:size} %{NUMBER:responsetime:int} %{NOTSPACE:hostname} %{NOTSPACE:ratio} %{QS:referrer} %{QS:agent}'
}
}
mutate {
add_field => {
"timestamp" => "%{mday}/%{month}/%{year}:%{time}"
}
}
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss" ]
timezone => "America/Aruba"
}
Result: @timestamp": "2017-08-22T04:08:11.000Z
But,
GOAL is to get the @timestamp value in the server timezone;i.e, "@timestamp": "2017-08-21T20:08:11.000Z"
To achieve this I have changed the timezone to "Asia/Dubai" which is actually +0400 and not -0400.
date {
match => [ "timestamp", "dd/MMM/YYYY:HH:mm:ss" ]
timezone => "Asia/Dubai"
}
Is this a correct way to do?? Is there any better alternative for this?
Please suggest.