Logstash creates index which is 2 dates ahead

Steve_1 · June 2, 2017, 12:53am

In my case log record timestamp doesn't have date value, just time, assuming that date value is current date.

logstash .conf:

input {
  beats {
    port => 5044
  }
}

filter {
  if [type] == "filebeat" {
    grok {
      match => {"message" => "(?<logTime>[0-9]{2}:[0-9]{2}:[0-9]{2},[0-9]{3}) (?<logLevel>[a-zA-Z]{1,})"}
    }
    mutate {
      add_field => {"logTimestamp" => "%{+YYYY-MM-dd} %{logTime}"}
      gsub => ["message", "%{logTime} ", ""]
    }
    date {
      match => ["logTimestamp", "YYYY-MM-dd HH:mm:ss,SSS"]
      remove_field => ["logTime", "logTimestamp"]
    }
  }
}

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
  }
}

But when executing curl 'localhost:9200/_cat/indices?v', I can see index logstash-2017.06.03, even though today is 2017.06.01

Output log timestamp looks like: 2017-06-03T01:00:12.126Z

What's is the issue?

Christian_Dahlqvist · June 2, 2017, 5:40am

Is the system time on the hosts where Logstash and Beats run set correctly?

Steve_1 · June 2, 2017, 3:48pm

The dates are correct on those machines.
Btw, since today Logstash index is correct.

Steve_1 · June 2, 2017, 10:58pm

I just noticed another logstash index logstash-217.06.03 appeared again, though the timestamp for log record is created correctly and shows todays date 2017.06.02

I updated output in logstash.conf but that didn't fix the problem:

output {
  elasticsearch {
    hosts => "elasticsearch:9200"
    index => "logstash-%{+YYYY.MM.dd}"
  }
}

I just noticed Docker container time is 5 hours ahead from server time but the date is still 2017.06.02.
How can I sync container time with server time?

Another observation is that all logs with timestamp after 17:00:00 indexed with timestamp of the next day - logstash-2017.06.03

Christian_Dahlqvist · June 3, 2017, 6:30am

The time stamp is in UTC time zone, so depending on in which time zone you are located that may be correct.

Steve_1 · June 3, 2017, 9:20pm

But value of variable logTimestamp shows the correct date. But index time zone is different, how can I adjust it to my current time zone?

Steve_1 · June 5, 2017, 12:37am

I just figured out Logstash created date for my log record in UTC timezone:

Today is still 2017-06-04 but Logstash created date value for 2017-06-05 - for UTC timezone I guess.
Moreover, the _index has date 2017.06.06 even 2 day ahead.

I checked Logstash container time and shows correct date of the current time zone, though ES container shows date in UTC time zone.

Is there any way to fix the value of variable logTimestamp?

system · July 3, 2017, 12:38am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.