Logstash Date parsing error

Elastic Stack Logstash
1

Hi! I am trying to parse the following date format:

2022-03-03 10:45:02,520

My current configuration for logstash to parse is:

grok {
      match => [
        "message", "%{TIMESTAMP_ISO8601:logdate}....."
      ]
}
date {
      match => ["logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
      target => "logdate"
}

However, when I view the logs on Kibana, I see the following logdate:

Mar 3, 2022 @ 02:45:02.520

The hour field seems to be parsing incorrectly. I noticed on my grok debugger that TIMESTAMP_ISO8601 parses the hour incorrectly but that shouldn't matter with my date pluggin right?

2

If you do not use the timezone option on the date filter it will parse assuming the field is in the logstash servers local timezone. The parsed time stored in Elasticsearch is always UTC.

Kibana will, by default, adjust the date to be in the browser's timezone.

Does that help?

3

I'm still a little bit confused :sweat_smile:

Logstash machine is on MST while the browsers timezone will be PST (1 hour behind). The log times are 7 hours behind for PST and 8 hours for MST.

Shouldn't my browser adjust the logdate so that they are in sync with PST?

4

It looks like Kibana is displaying the date in UTC. In the advanced options of Kibana there is a dateFormat:tz option that controls what timezone it uses.

5

I modified that field from "Browser" to US/Pacific". The logdate still seems to show the UTC time. I refreshed my browser, re-created Data Views and logged out and back in with no change.

Is there something I'm missing?

6

I realized I mixed up some info. Both my Logstash and Elasticsearch machine are on PST. The machine with filebeat on it is MST

Additionally, @timestamp maps correctly, but logdate is 7 hours behind.

7

Apologies for being a bit confusing but I'm still a little confused on what to do.

My pipeline (Filebeat 8.0.1 and Logstash/ES/Kibana 8.0.0):
Filebeat machine (MST)
Logstash Machine - Docker container (PST)
ES Machine Docker container (PST)

Adjusting the Kibana settings to Pacific did not change anything for my 'logdate' field. So I suspect this is an issue with Logstash?

8

You should check what the value is in Elasticsearch. Fetch the document using curl, or with the Dev Tools console.

Also, check the mapping for the field.

9

Looks like Elasticsearch maps it correctly

          "event" : {
            "original" : "2022-03-03 16:55:02,521 ..."
          },
          "logdate" : "2022-03-03T16:55:02.521Z",

However the timestamp is:

          "@timestamp" : "2022-03-03T23:55:09.474Z",

And indice mapping:

        "logdate" : {
          "type" : "date"
10

So the logs were created at 16:55:02.521. So 15:55:02 PST, but the timestamp shows 23:55:09

11

So logdate exactly matches the start of [event][original]. That suggests that the date filter parser set the timezone to UTC. It is documented as using the system default timezone if the option is not set.

12

I think I'm starting to understand. So I'll need to specify the time zone in my logstash config file. And since the server that it's reading logs from is MST, I'll need to specify

timezone => "MST"

Yup, this worked! Thanks Badger.

13

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.