Hi !
I know that this question comes back often but I didn't find a good answer for my problem.
So I set up a cluster of 3 servers: Two are made up with the docker image sebp/elk and the kibana server is installed with the elastic repo.
Everything work fine except the timestamp shown in kibana.
I change the localtime in the docker containers and reboot them but nothing changed.
My logstash confs do not include any date parsing and worked on a test node.
Thanks !
The timestamps are supposed to be stored in UTC in Elasticsearch and the Kibana web app (i.e. your browser) adjusts the timestamps to local time. The latter behavior is configurable via Settings -> Advanced.
1 Like
I adjusted the time to my timezone but it still don't work ! the @timestamp still has 2 more hours than the time in the log.
EDIT: by puting Etc/GMT+0 It works but Europe/Paris doesn't have the good time. If I want to visualize the last 15 minutes, I see the last 15 minutes but 2 hours ago..
Is "Oct 24 13:01:59" in UTC+2? What's stored in ES for that event, i.e. what's the raw @timestamp
value? You can find it in Kibana on the JSON tab if you expand the message in the Discover view.
France is in UTC+1.
Here's the value: 1477315740000 (well that's not the value of 13:01:59 but more of 13:29:00)
I put Kibane in gmt + 0.
France is in UTC+1.
No, not until Oct 30 when daylight savings time ends. Right now you're UTC+2.
Here's the value: 1477315740000
That's not what the @timestamp
fields looks like. Where did you get that from? Anyway, 1477315740000 is 2016-10-24 13:29:00 UTC. Your log files are UTC+2 so if they contain 13:29:00 the value stored in ES should be 11:29:00.
Yes you right, I just copied-pasted google.
Well this is what I get when I expand a message and click on JSON and search for the @timestamp field.
Well this is what I get when I expand a message and click on JSON and search for the @timestamp field.
Oh, you copied this part:
"fields": {
"@timestamp": [
1477306667396
]
},
This is the part I'm interested in:
"@timestamp": "2016-10-24T10:57:47.396Z",
So:
"@timestamp": "2016-10-24T13:36:20.000Z"
And:
"fields": {
"@timestamp": [
1477316180000
]
}
Okay. Your date filter is broken since it doesn't adjust the timezone of the parsed timestamp to UTC. The filter defaults to the system's timezone, but you can override that with the date filter's timezone
. In your case I suppose timezone => "Europe/Paris"
would be correct.
Here's what happens when I set Europe/Paris:
What do your filters look like?
This is the only conf I put in the logstash conf.d directory:
This is what I get when trying parts of your config, and I'm also in UTC+2:
$ cat test.config
input { stdin { } }
output { stdout { codec => rubydebug } }
filter {
date {
match => [ "message", "MMM d HH:mm:ss", "MMM dd HH:mm:ss" ]
}
}
$ echo 'Oct 24 11:57:51' | /opt/logstash/bin/logstash -f test.config
Settings: Default pipeline workers: 8
Pipeline main started
{
"message" => "Oct 24 11:57:51",
"@version" => "1",
"@timestamp" => "2016-10-24T09:57:51.000Z",
"host" => "lnxolofon"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}
Are you getting something else if you try the same thing?
Not at all:
root@e3df854be0f8:~# echo 'Oct 24 11:57:51' | /opt/logstash/bin/logstash -f test.config
Settings: Default pipeline workers: 2
Pipeline main started
{
"message" => "Oct 24 11:57:51",
"@version" => "1",
"@timestamp" => "2016-10-24T11:57:51.000Z",
"host" => "e3df854be0f8"
}
Pipeline main has been shutdown
stopping pipeline {:id=>"main"}
EDIT: the localtime file used on my docker containers are Europe/Paris, maybe that's why we don't have the same output
And this doesn't change even if you add timezone => "Europe/Paris"
in your date filter?
Not at all. I think that it's a problem with the timezone from the docker container.
When I restart each container and watch logstash.log, the date printed is UTC and not UTC+2.
I thought I changed the hour from the docker containers..
But when setting the timezone
option the environment's timezone is overridden so it doesn't matter that the container runs UTC. Are the timezone files available inside the container? If it's a Debian-based container you should have the tzdata package installed with files in /usr/share/zoneinfo.
yes it's based on debian.
What I've done:
rm /etc/timezone
ln -s /usr/share/zoneinfo/Europe/Paris /etc/timezone
dpkg-reconfigure -f noninteractive tzdata
EDIT: IT WORKS ! I deleted the index and everything work fine ! Thank you for your time !