Logstash date filter converting TIMESTAMP field to my local zone?

Yaswanth · June 5, 2017, 11:12am

HI,

I have logs in with following TIMESTAMP field in it and i am sending them to ES using logstash.

[2017-05-18 00:00:05,871]
[2017-05-18 00:00:06,161]
[2017-05-18 00:00:06,249]
[2017-05-18 15:30:06,339]

Normally if i parse this field through logstash using grok it will convert it into string , so i have used date filter for this:

 date {
    match => [ "TIMESTAMP" , "yyyy-MM-dd HH:mm:ss,SSS" ]
    target => "TIMESTAMP"
  }

When i seen in the output it is reducing -05.30h from each TIMESTAMP field . The output i got is like this:

"TIMESTAMP" => "2017-05-17T18:30:05.871Z",
"TIMESTAMP" => "2017-05-17T18:30:06.161Z",
"TIMESTAMP" => "2017-05-17T18:30:06.249Z",
"TIMESTAMP" => "2017-05-17T18:30:06.290Z",
 "TIMESTAMP" => "2017-05-18T10:00:06.339Z",

When i seen same TIMESTAMP field in the kibana i am getting original TIMEFIELD value. If logstash is sending the files to kibana then kibana also should has the reduced TIMEFIELD but it has correct one. Why ?

Thanks

magnusbaeck · June 7, 2017, 6:14am

The date filter always converts to UTC time because that's what ES stores. Kibana by default adjusts timestamps to the browser's timezone.

system · July 5, 2017, 6:14am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.