I have tried in this way:
logstash.conf
filter {
grok {
match => [
"message",
"%{YEAR:year}-%{MONTHNUM:month}-%{MONTHDAY:day}[T ]%{HOUR:hour}:?%{MINUTE:minute}(?::?%{SECOND:second})?%{ISO8601_TIMEZONE}? %{GREEDYDATA:syslog_data}"
]
}
mutate {
add_field => { "sys_timestamp" => "%{year}-%{month}-%{day}T%{hour}:%{minute}:%{second}Z" }
remove_field => [ "year", "month", "day", "hour", "minute", "second" ]
}
}
echo '2017-10-26T14:37:06.540286+02:00 some-data}' | logstash -f logstash.conf
Pipeline main started
{
"message" => "2017-10-26T14:37:06.540286+02:00 some-data",
"@version" => "1",
"@timestamp" => "2017-10-26T12:37:21.522Z",
"sys_timestamp" => "2017-10-26T14:37:06.540286Z"
}
Pipeline main has been shutdown
Now i have sys_timestamp with same format of @timestamp but in kibana the log is displayed with 2 hours more, although in the json view the timestamp is correct
does not it seem a logstash problem, maybe kibana?