We can compare these two screenshots , the only difference between them is the index is different.
My expectation is these two result should be the same.Because the time is the same.But Why they are different ? And i think the first one is the correct one since all the data today should be stored in the index netflow-2017.12.16.
And how can i fix the issue , because it's impossible for me to create so many indexes every day
Indices created by Logstash using timestamp are split based on the event timestamp, which is in UTC timezone. Kibana adjust your view based on the local timezone, so unless you are physically located in UTC timezone your definition of 'today' may cover events in more than one daily index. The results from the second pattern is therefore the correct one.
Where do you want to change the time zone? Time stamps in Elasticsearch are always in UTC so trying to change that would mean st likely result in a lot of issues across the stack.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
