I have installed metricbeat 6.3.0 in my windows 8 and I configured few metricsets in system module and I am sending data to logstash output and also I have the enable the add_locale in the metricbeat.yml as like below,
Please correct me if my configuration is wrong.
Since the timestamp field value is not matching with my machine local time zone and I want the timestamp value to be changed from UTC to local time zone value
Please let me know your thoughts it would be very helpful.
The correct configuration to have Metricbeat add the locale name in beat.timezone is
processors:
- add_locale:
format: abbreviation
But why do you need this? This processor is usually only needed when the data contained in the event has some relation to the timezone (e.g. has timestamps in logs without timezones or you are interpreting whether a user logon occurred during normal working hours).
Are you trying to change @timezone from UTC to your local timezone? If so, the first please see the advice here.
I have configured the beat.timezone in metricbeat.yml as like below,
With format as abbreviation
With format as offset
I tried both of them separately but the value of the timestamp is showing in the UTC. Since the metricbeat is running in my machine which is in IST, so I want the timestamp value to be in IST.
Please correct me if my syntax is wrong in the configuration.
I am sending the metricbeat data to graylog through logstash output and in my graylog i have created beats input so the data will receive to that port successfully.
When the data is sending to graylog it will check the timestamp field and if the timestamp does not contain timezone information it will assume that this timestamp without timezone information is UTC so I don't want that to happen.
So that's why I am trying to send data with timezone. Please let me your thoughts it would be very helpful.
I think you are not understanding what the add_locale processor does.
It does not change the timezone of @timestamp from UTC to the host's local timezone.
It does not accept beat.timezone as a parameter. (see my example config above or the docs).
It does determine the host's currently configured timezone and add a new field to the event named beat.timezone that has a value containing the either the timezone abbreviation or offset from UTC in hh.mm format.
There is no way to change @timezone to anything other than UTC on the Beat side.
The @timestamp values produced by Beats are an ISO 8601 format of 2006-01-02T15:04:05.000Z. They do contain a timezone as indicated by the Z for Zulu time (UTC). So why not just pass this through to Graylog as is?
I don't know of built-in filters for changing @timestamp to a different timezone (this is a common task). But I found some ruby code here that might work.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
