Logstash => ES, Timezone and IndexName

bastimm · July 24, 2017, 9:39am

Hello,

we have logfiles with a timestamp like "yyyyMMddHHmmss" with Europe/Berlin Timezone.
This files were sent via FileBeat=>Logstash=>ES.

Now we changed timezone in our Logstash config.
Now the timestamp in ES is correct.
But we create a new Index for each day and now there is a difference.

One short example:
timestamp: 20170401012200 => data will logged into index "log-2017.03.31", but we want the data in "log-2017.04.01"

our configs:

input {
    beats {
            port => "5044"
            host => "0.0.0.0"
    }
}

filter {
    mutate {
        add_field => {
            "shop ID" => "%{[message][0]}"
            "tpTimestamp" => "%{[message][1]}"
        }
    date {
        match => ["tpTimestamp", "yyyyMMddHHmmss"]
        timezone => "Europe/Berlin"
        target => "@timestamp"
     }
}

output {
    elasticsearch {
       hosts => ["localhost:9200"]
           index => "actionlog-%{+YYYY.MM.dd}"
       }
    }
}

Can somebody help us, how to get the right indexname with correct times?

Thanks in advance!

sreepatch · July 24, 2017, 10:10am

As per my knowledge, the indices are created on the daily basis based on your index configuration. Logstash does not bother about the time stamp in the data while filtering and sending the data to indices.
If you are using Kibana, the Date field added in the filter can be used to create a new search. Then you can filter out the data based on the time stamp in the data

bastimm · July 24, 2017, 11:06am

first thanks for your answer!

Our problem are the wrong index-names.
Search/TImestamp is like we want.
If we disable some indexes or delete some indexes, there is data from an other day included....

magnusbaeck · July 25, 2017, 9:10pm

With

index => "actionlog-%{+YYYY.MM.dd}"

the indexes will be named after the @timestamp field which is UTC. Don't attempt to change that.

If you really need to be able to delete events on exact local time boundaries you can create another field containing the date in the local time and reference that field in the index option above.

system · August 22, 2017, 9:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to name new index based on time from log Logstash	10	12653	March 1, 2017
@timestamp and _index question Logstash	7	701	September 23, 2017
Logstash & KIbana timestamp indexing Logstash	2	471	October 16, 2019
Daily index name and @timestamp value discrepancies Logstash	4	755	July 6, 2017
[ELK]logstash default timezone cause index splitting problem in different timezones Logstash	15	6351	July 6, 2017

Logstash => ES, Timezone and IndexName

Related Topics