Hello All,
i have inherited a logstash/kibana install. i am a newbie to this product. and i have been asked to fix a few problems with it.
the biggest one is that our logs which are imported using filebeat are always 10 hours into the future. i believe this is because the raw log logs, which look like this
2019-05-30T00:21:38.340 Int 50052 007301CE-10067E55 3740 incall_initiated 0:0
have no timezone included and are in local time GMT+10 and logstash assumes this is UTC. therefore in kibana we need to set the date range picker to 10 hours ahead of the current time to see recent logs.
the current filter looks like this
filter {
grok {
match=>[
"message","%{TIMESTAMP_ISO8601:timestamp}%{SPACE}%{WORD:GVP_LogLevel}%{SPACE}%{INT:GVP_Component}%{SPACE}%{NOTSPACE:GVP_CallID}%{SPACE}%{INT:GVP_SEQ}%{SPACE}%{GREEDYDATA:GVP_Log}"
]
}
if "_grokparsefailure" in [tags] {
drop { }
}
}
from searches of this forum and the internet in general, i think i need to add the following to the filter { }
date{
match => ["timestamp","yyyy-MM-ddTHH:mm:ss.SSS"]
timezone => "Australia\Brisbane"
}
i'm not sure what i need to restart to parse the configuration file.
I'm really hoping someone can let me know if im on the right track to fix this problem.
Thanks