Logstash date format - Converting timestamp without timezone to timetamp with timezone

jasoninmel · December 2, 2020, 11:01pm

I got an event timestamp field without timezone stored in Elasticsearch as follows;

"open-date": "2016-05-28T00:00:00"

This time is in Australia/Melbourne timezone (AEDT/AEST).

I used the following filter to covert this to timestamp with timezone and specified the timezone;

date {
match => ["open-date", "yyyy-MM-dd'T'HH:mm:ss"]
timezone => "Australia/Melbourne"
target => "open_date_timezone"
}

In rebuy rebug output I can see the following;

"open_date_timezone" => 2016-05-27T14:00:00.000Z

I want it to be with timezone i.e +10 instead of 000Z. Is it possible to achieve this in Logstash?

I will be storing this in RDBMS and will be casting the string field to timestamptz format using following snippet in SQL.

CAST (? AS timestamptz)

Badger · December 2, 2020, 11:07pm

There are no double quotes around the value of [open_date]. It is not a string, it is a Logstash::Timestamp object. Such objects are always in UTC. If you want it to be a string you can use mutate+convert to make it so

mutate { convert => { "date_open" => "string" } }

You could replace the trailing Z with +10

mutate { gsub => [ "date_open", "Z$", "+10" ] }

but that moves it in time. If you want the field to be in Australia/Melbourne just use the string you started with.

jasoninmel · December 3, 2020, 12:32am

Thank you very much @Badger for highlighting the problem with date object being treated as a string when used quotes. It turned out the time has been adjusted to UTC (DB timezone is set to UTC) making the timezone offset to be updated correctly to +00. It is my bad that I didn't notice the different in time.

system · December 31, 2020, 12:32am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.