How to change logstash default timezone

Manoj_Hettiarachchi · November 19, 2018, 9:00am

Hello,

In my system, I use filebeat and logstash. The data written to the log files are sent to logstash via filebeat. Some fields in the logs are filtered and saved in csv format using logstash.

Problem:

When saving data in CSV files I need to save data belongs to each day in sperate files. So my "output" is as follows.

output {
  csv {
     path => "/var/csv_reports/%{+YYYY}-%{+MM}-%{+dd}/transaction-report.csv"
     fields => ["timestamp","tid","api","user","application","app_id", "body"]
  }
}

The file is shifting process happens in UTC time. So the generated files contain data belongs to 2 days.
How can I change the default timezone of logstash to my timezone ( +5:30).

Your help is much appreciated.

Thanks,

asp · November 19, 2018, 9:35am

Hi,

don't know how to change it globally, but you can define the time zone used in your logs.
To do so, you need to use the date filter plugin:

date 
{
	match => ['LogTime', 'dd.MM.YYYY HH:mm:ss']
	timezone => "Europe/Berlin"
	
	# remove fields no longer needed
	remove_field => ['LogTime']
}

In the example above my date field is stored as "logTime".
Since I am not specifying a target, logtime is automatically stored in @timestamp.

So log time is Berlin time. Logstash converts it to UTC.
Kibana is converting UTC to browser's timestamp on loading the visualization. Internally elastic is storing the timestamp in utc.

Regards, Andreas

Manoj_Hettiarachchi · November 19, 2018, 11:04am

Hello @asp

I have added the "date" field to my filter {} area. But no success.
Still, the directory name is created according to UTC time zone.

Thanks,

Manoj_Hettiarachchi · November 19, 2018, 11:47am

Hello again

I have found a solution here: https://stackoverflow.com/questions/29302444/convert-timestamp-timezone-in-logstash-for-output-index-name

so my new logstash config is as fallows

filter{
..........
ruby {
        code => "event.set('index_day', event.get('[@timestamp]').time.localtime.strftime('%Y%m%d'))"
    }
}

output {
  csv {
     path => "/var/csv_reports/%{index_day}/transaction-report.csv"
     fields => ["timestamp","tid","api","publisher","user","consumerKey","application","app_id"]
  }
}

Now the directory name can is created with the timestamp in my log lines.
This solved my issue.

system · December 17, 2018, 11:47am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Timezone in UTC causes wrong filename Logstash	4	1371	February 16, 2021
Changing timezone Logstash	3	3377	November 17, 2019
[ELK]logstash default timezone cause index splitting problem in different timezones Logstash	15	6351	July 6, 2017
How to change logstash default timezone Logstash	2	662	April 7, 2021
Log Timezone Question Logstash	13	4864	January 10, 2020

How to change logstash default timezone

Related topics