Logstash Date parsing error

userR · March 3, 2022, 6:32pm

Hi! I am trying to parse the following date format:

2022-03-03 10:45:02,520

My current configuration for logstash to parse is:

grok {
      match => [
        "message", "%{TIMESTAMP_ISO8601:logdate}....."
      ]
}
date {
      match => ["logdate", "YYYY-MM-dd HH:mm:ss,SSS"]
      target => "logdate"
}

However, when I view the logs on Kibana, I see the following logdate:

Mar 3, 2022 @ 02:45:02.520

The hour field seems to be parsing incorrectly. I noticed on my grok debugger that TIMESTAMP_ISO8601 parses the hour incorrectly but that shouldn't matter with my date pluggin right?

Badger · March 3, 2022, 6:54pm

If you do not use the timezone option on the date filter it will parse assuming the field is in the logstash servers local timezone. The parsed time stored in Elasticsearch is always UTC.

Kibana will, by default, adjust the date to be in the browser's timezone.

Does that help?

userR · March 3, 2022, 7:09pm

I'm still a little bit confused

Logstash machine is on MST while the browsers timezone will be PST (1 hour behind). The log times are 7 hours behind for PST and 8 hours for MST.

Shouldn't my browser adjust the logdate so that they are in sync with PST?

Badger · March 3, 2022, 7:29pm

It looks like Kibana is displaying the date in UTC. In the advanced options of Kibana there is a dateFormat:tz option that controls what timezone it uses.

userR · March 3, 2022, 9:35pm

I modified that field from "Browser" to US/Pacific". The logdate still seems to show the UTC time. I refreshed my browser, re-created Data Views and logged out and back in with no change.

Is there something I'm missing?

userR · March 3, 2022, 9:59pm

I realized I mixed up some info. Both my Logstash and Elasticsearch machine are on PST. The machine with filebeat on it is MST

Additionally, @timestamp maps correctly, but logdate is 7 hours behind.

userR · March 4, 2022, 7:15pm

Apologies for being a bit confusing but I'm still a little confused on what to do.

My pipeline (Filebeat 8.0.1 and Logstash/ES/Kibana 8.0.0):
Filebeat machine (MST)
Logstash Machine - Docker container (PST)
ES Machine Docker container (PST)

Adjusting the Kibana settings to Pacific did not change anything for my 'logdate' field. So I suspect this is an issue with Logstash?

Badger · March 4, 2022, 7:51pm

You should check what the value is in Elasticsearch. Fetch the document using curl, or with the Dev Tools console.

Also, check the mapping for the field.

userR · March 4, 2022, 8:38pm

Looks like Elasticsearch maps it correctly

          "event" : {
            "original" : "2022-03-03 16:55:02,521 ..."
          },
          "logdate" : "2022-03-03T16:55:02.521Z",

However the timestamp is:

          "@timestamp" : "2022-03-03T23:55:09.474Z",

And indice mapping:

        "logdate" : {
          "type" : "date"

userR · March 4, 2022, 8:57pm

So the logs were created at 16:55:02.521. So 15:55:02 PST, but the timestamp shows 23:55:09

Badger · March 4, 2022, 9:48pm

So logdate exactly matches the start of [event][original]. That suggests that the date filter parser set the timezone to UTC. It is documented as using the system default timezone if the option is not set.

userR · March 4, 2022, 10:11pm

I think I'm starting to understand. So I'll need to specify the time zone in my logstash config file. And since the server that it's reading logs from is MST, I'll need to specify

timezone => "MST"

Yup, this worked! Thanks Badger.

system · April 1, 2022, 10:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.