Logstash date timezone conversion

paano · April 1, 2019, 6:30pm

in the pipeline conf, used timezone but when viewing in kibana it converts to UTC time.

date {
  timezone => "America/Chicago"
	match => [ "ALTDATE", "yyyy-MM-dd" ]
	target => "ALTDATE"
}

date {
	match => [ "CRDATE", "yyyy-MM-dd" ]
	timezone => "America/Chicago"
	target => "CRDATE"
}

Partial rubydebug output as below.

elk_logstash     |        " ALTDATE" => "2013-05-24",
elk_logstash     |         "message" => "ALTDATE(2013-05-24), ALTTIME(14.45.03), CRDATE(2012-07-24), CRTIME(03.01.10)",
elk_logstash     |        "@version" => "1",
elk_logstash     |            "host" => {
elk_logstash     |         "name" => "5cd386e09087"
elk_logstash     |     },
lk_logstash     |         " CRDATE" => "2012-07-24",
elk_logstash     |         " CRTIME" => "03.01.10",
elk_logstash     |          "source" => "/var/log/test.log",
elk_logstash     |            "tags" => [],
elk_logstash     |      "@timestamp" => 2019-04-01T18:14:07.790Z,
elk_logstash     |          "offset" => 743,
elk_logstash     |           "input" => {
elk_logstash     |         "type" => "log"
elk_logstash     |     },
elk_logstash     |            "beat" => {
elk_logstash     |             "name" => "5cd386e09087",
elk_logstash     |          "version" => "6.5.2",
elk_logstash     |         "hostname" => "5cd386e09087"
elk_logstash     |     },
elk_logstash     |        " ALTTIME" => "14.45.03"
elk_logstash     | }

We see logstash parses the data correctly.

Not able to understand why it fails to use the timezone for display.

Badger · April 1, 2019, 7:05pm

elasticsearch stores all dates/times as UTC. kibana typically shows dates in the browser's timezone but you can tell it to use some other timezome using dateFormat:tz

paano · April 1, 2019, 9:00pm

@Badger Tried the option but did not work.
Also tried "mutate -> convert" but no luck.

Is there an alternative?

Badger · April 1, 2019, 9:11pm

You do not have fields called "ALTDATE" and "CRDATE". They are called " ALTDATE" and " CRDATE" with a leading space. So those date filters do nothing.

If you are using a kv filter you may need to add trim_key to it.

paano · April 1, 2019, 9:46pm

Got it. tested after the trim and it worked.
Did not know "a space in front of the key" would fail to parse.

It never threw any exception. Nice to know.

system · April 29, 2019, 9:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.