Index creation at 00:00 GMT+2

Hello

I've write a custom script that is monitoring my logstashes (3 machines at the moment) - each minute I am writing to my daily index an OK message. If my script detects that there are less than 9 entries for the last 10 minutes - it sends an email and automatically staarts logstash. So far, so good.

I noticed that i receive a bunch of emails from 00:00 to 02:00 GMT+2 (or in other words - from 22:00 - 00:00 UTC) that are saying there are no OK entries in the index. One of my team members noticed also that at 00:00 GMT+2 we don't have an index created, instead we got one at 02:00. GMT+2.

I am wondering is there a way to tell logstash to create the index not in UTC 00:00 but in GMT+2 00:00?

Not out of the box, no. Other tools rely on timeseries indexes to be UTC-based so it's easier to adapt your script to deal with that reality. Even if they're in local time you still have to deal with the fact that you have to query two indexes when running the query five minutes after the index has rolled over.

IIRC more recent versions of ES can quickly determine that an index doesn't contain any documents in a specific time range, so the impact of querying a very wide number of indexes is small.