Locale automatically being set in date filter

punit_naik1 · February 5, 2016, 11:30am

I have a timestamp in my log and its already in the timezone that I want. But when I apply a date filter to it to convert it into a timestamp, it automatically is converted into my local time which I don't want because it already is and therefore it is converted unnecessarily and gives me wrong timestamp. How do I avoid this?

Please help!

magnusbaeck · February 5, 2016, 12:17pm

Can you give an example, including your configuration and information about the timezone of all hosts involved?

punit_naik1 · February 5, 2016, 12:20pm

Yes of course. Below is the config file.

input{
    file{
        path => ["/home/punit/spark.out"]
        start_position => "beginning"    
        codec => multiline 
                    {
                                pattern => "^%{NUMBER}/%{NUMBER}/%{NUMBER}"
                                negate => true
                                what => "previous"
                        }
        }
}
filter{
    grok{
        match => {"message" => "%{NUMBER:log_year}/%{NUMBER:log_month}/%{NUMBER:log_day} %{TIME:log_time} %{LOGLEVEL:log_level} %{DATA:component}: %{GREEDYDATA:log_message}"}
    }
    mutate{
        add_field => {"log_timestamp" => "%{log_year}-%{log_month}-%{log_day} %{log_time}"}
        rename => {"@timestamp" => "event_timestamp"}
                remove_field => ["@version","message","path","log_year","log_month","log_day","log_time"]
    }
    date{
        match => ["log_timestamp","yy-mm-dd HH:mm:ss"]
        target => "log_timestamp"
    }
}
output {
     stdout { codec => json }
    }

Its automatically doing +6:30 to the log timestamp even though I have not specified any timezone or locale.

magnusbaeck · February 5, 2016, 12:23pm

You didn't provide all information that was asked for. Are you taking into account that the date filter always converts timestamps to UTC?

punit_naik1 · February 5, 2016, 12:26pm

No I didn't know that it converted the timestamp to UTC. And what extra info do I have to provide?

punit_naik1 · February 5, 2016, 12:28pm

I want the time as it is in the log file.

magnusbaeck · February 5, 2016, 12:28pm

I said

Can you give an example, including your configuration and information about the timezone of all hosts involved?

and so far I've only seen the configuration. By example I mean what the timestamp looks before the date filter and what it looks like afterwards. The difference you're seeing is probably because of the conversion to UTC.

punit_naik1 · February 5, 2016, 12:33pm

Before date filter:

16/01/27 16:24:47

After date filter:

2016-01-27T10:54:47.000Z

Here is a line from the file:

16/01/27 16:24:47 INFO Master: Registered signal handlers for [TERM, HUP, INT]

magnusbaeck · February 5, 2016, 12:42pm

If your local timezone is UTC+6:30 then this is the expected behavior. The date filter always converts to UTC. This is not configurable.

punit_naik1 · February 5, 2016, 12:43pm

Okay thanks a lot @magnusbaeck. I think I was fretting for no reason.