I got an event timestamp field without timezone stored in Elasticsearch as follows;

"open-date": "2016-05-28T00:00:00"

This time is in Australia/Melbourne timezone (AEDT/AEST).

I used the following filter to covert this to timestamp with timezone and specified the timezone;

date {
match => ["open-date", "yyyy-MM-dd'T'HH:mm:ss"]
timezone => "Australia/Melbourne"
target => "open_date_timezone"
}

In rebuy rebug output I can see the following;

"open_date_timezone" => 2016-05-27T14:00:00.000Z

I want it to be with timezone i.e +10 instead of 000Z. Is it possible to achieve this in Logstash?

I will be storing this in RDBMS and will be casting the string field to timestamptz format using following snippet in SQL.

CAST (? AS timestamptz)

There are no double quotes around the value of [open_date]. It is not a string, it is a Logstash::Timestamp object. Such objects are always in UTC. If you want it to be a string you can use mutate+convert to make it so

mutate { convert => { "date_open" => "string" } }

You could replace the trailing Z with +10

mutate { gsub => [ "date_open", "Z$", "+10" ] }

but that moves it in time. If you want the field to be in Australia/Melbourne just use the string you started with.

Thank you very much @Badger for highlighting the problem with date object being treated as a string when used quotes. It turned out the time has been adjusted to UTC (DB timezone is set to UTC) making the timezone offset to be updated correctly to +00. It is my bad that I didn't notice the different in time.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.