How to add day of month field but with certain timezone

yuswanul · December 13, 2023, 3:24am

i want to create a "day of month" field for my visualization. I already did this using a scripted field before. but since I chose Grafana to visualize my data, I can't use that scripted field there. so I want to generate it from logstash; here is the script in kibana:

month:
ZonedDateTime pst = doc['process_timestamp.date_histogram.timestamp'].value.withZoneSameInstant(ZoneId.of('Asia/Jakarta')); return pst.getMonthValue();

day:
ZonedDateTime pst = doc['process_timestamp.date_histogram.timestamp'].value.withZoneSameInstant(ZoneId.of('Asia/Jakarta')); return pst.getDayOfMonth();

how do I do it if I want to create a day-of-month field with my timezone? i already tried this but I got UTC timezone

mutate {
 add_field => {"dayOfmonth" => "%{+dd-HH}"}
}

*i added HH just to make sure what timezone is being used and I'm still working with date filter but has not yet found a solution

Thanks

Badger · December 13, 2023, 3:55am

logstash [@timestamp] is always UTC, so "%{+dd-HH}" is always going to be UTC. You would need to use a ruby filter to apply the timezone offset.

yuswanul · December 13, 2023, 4:02am

thank you. finally i found this

Rios · December 13, 2023, 4:26am

Yes, you have to use ruby because UTC which Badger mentioned.
Another approach:

 ruby {
    code => "
	require 'tzinfo'
    current_time = Time.now
	timezone = TZInfo::Timezone.get(current_time.zone)
	timezone_name = timezone.name
	 event.set('[@metadata][tz]', timezone_name)
    "
  }
 
mutate { add_field => {"dayOfmonth" => "%{+dd-HH} %{[@metadata][tz]}"} }

yuswanul · December 13, 2023, 4:35am

I tried using your code, but I got this error in logstash:

 Ruby exception occurred: Invalid identifier: WIB {:class=>"TZInfo::InvalidTimezoneIdentifier"

and also in kibana, it gives me something like this

Rios · December 13, 2023, 4:42am

You should use ruby in LS.

input {
  generator {
       message => "2023-11-25 15:51:46 DEBUG Request Approved"
	   count => 1
  }
} 

filter {

 ruby {
    code => "
	require 'tzinfo'
    current_time = Time.now
	timezone = TZInfo::Timezone.get(current_time.zone)
	timezone_name = timezone.name
	 event.set('[@metadata][tz]', timezone_name)
    "
  }
  
   	 mutate {
 add_field => {"dayOf" => "%{+dd-HH} %{[@metadata][tz]}"}
 remove_field => ["host", "event",  "message"]
} 

  
}
output {
 stdout { codec => rubydebug{ metadata => false} }
}

Result in LS 8.11:

{
         "dayOf" => "13-04 CET",
      "@version" => "1",
    "@timestamp" => 2023-12-13T04:40:31.648947Z
}

system · January 10, 2024, 4:43am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.