mrunalini
July 1, 2021, 1:23pm
1
Hi Team,
I am using below xml/xpath statement to convert my string timestamp to date type timestamp in logstash
so my value is coming as date in kibana ,but 5:30 hrs more than current timestamp ,current timestamp is correct in field @timestamp but in my field its showing 5:30 hrs more .
logstash and kibana server timezone is IST
Please suggest method to resolve this in conf file.
You have not told us what your data looks like. It is unclear if you understand that logstash and elasticsearch store dates as UTC. Are you using a date filter or are you using dynamic mapping?
mrunalini
July 1, 2021, 8:17pm
4
Hi Badger,
my i/p is in xml and i am using xpath and string function to create date format
input -
<AdLels>
<AuditLevel>
<TS>2021-06-30-20:11:23</TS>
</AdMsg>
</AdLels>
xpath - xpath =>[ "concat(substring(/AdMsg/AdLels/AuditLevel/TS/text(), 1,10),'T',substring(/AdMsg/AdLels/AuditLevel/TS2text(), 12),'Z')", "PUT_TIME"]
PUT_TIME is now string like - 2021-07-02T01:39:53Z and kibana is showing this as type date - Jul 2, 2021 @ 07:09:53.000.
so this value in kibana is 5:30 hr more than current timestamp ,what need to be done to show it to timestamp same as @timestamp .
mrunalini:
2021-07-02T01:39:53Z
OK, the Z at the end means that that is Zulu, i.e. UTC. By default kibana will display that in your local time zone, which is five and half hours ahead of UTC. Use a date filter
date {
match => [ "PUT_TIME", "YYYY-MM-dd'T'HH:mm:ss" ]
timezone => "Asia/Kolkata"
target => "PUT_TIME"
}
That will change that time to 2021-07-01T20:09:53Z.
mrunalini
July 2, 2021, 3:14am
6
Hi @Badger ,
Thanks for reply!!
After using this code getting - _dateparsefailure in kibana.
in kibana @timestamp is still correct and my PUT_TIME is %:30 hrs more .
Please suggest why its not parsing.
Thanks ,
You changed your xpath to stop adding the 'Z', right?
mrunalini
July 2, 2021, 7:18am
8
Yes , I stopped adding Z, still facing same - _dateparsefailure in kibana
xpath =>[ "concat(substring(/AdMsg/AdLels/AuditLevel/TS/text(), 1,10),'T',substring(/AdMsg/AdLels/AuditLevel/TS/text(), 12))", "PUT_TIME"]
mrunalini
July 2, 2021, 10:21am
9
Hi @Badger /Team,
Please help with the issue .
leandrojmp
July 2, 2021, 1:27pm
10
Please, do not ping people or bump your post.
You need to share your logstash pipeline, without seeing your logstash pipeline is not possible to see what is wrong.
Also share the result message that give you the date parse failure.
mrunalini
July 2, 2021, 2:19pm
11
Input -
and Pipeline config file as below:
input {
}
}
}
mutate {
remove_field =>"PUT_TIME"
}
}
match => ["PUT_TIME", "yyyy-MM-dd'T'HH:mm:ss.SSS","yyyy-MM-dd'T'HH:mm:ss"]
elasticsearch {
}
stdout { codec => rubydebug }
mrunalini
July 2, 2021, 2:23pm
12
Sorry xml Input not pasted correctly so added image:
mrunalini
July 5, 2021, 3:16am
13
Hi Team,
Can someone please respond?
mrunalini
July 6, 2021, 10:02am
14
Hello Team,
This has been pending for long now , can someone please advise
Badger
July 6, 2021, 4:00pm
15
What is the value of [PUT_TIME] in kibana? In Discovery, expand an event and copy and paste the value of the field from the JSON tab.
mrunalini
July 7, 2021, 8:15am
16
Hi Badger,
Put time in JSON Doc is - 2021-07-07T13:44:15
but in table it shows - Jul 7, 2021 @ 19:14:15.000
Badger
July 7, 2021, 5:49pm
17
That sounds like it is working as expected. "Jul 7, 2021 @ 19:14:15.000" is the default display format for Kibana, and it is offset from UTC by 5:30.
mrunalini
July 7, 2021, 6:14pm
18
Hi
I want to show original date not the 5:30 hrs more .
Is it possible to do that?
mrunalini
July 7, 2021, 6:17pm
19
I do not have issues with the display of the time , i need it to be shown the original date ,not the 5:30 hrs more.
I there possible way to do that.
Badger
July 7, 2021, 6:17pm
20
Elasticsearch stores the date as UTC, by default Kibana transforms that to the browser's timezone. If you want to change that reconfigure Kibana:
Settings -> Advanced -> DateFormat:tz
