Logstash & KIbana timestamp indexing

ALLAHshukur_Ahmadzad · September 18, 2019, 7:22am

Hi dear community.I am having problems with the index naming of logs that belongs to the one day but indexed as previous.Now the logs are like following:
Log:
09-09-2019 00:00:08 - log.....

Logstash output:
output {
elasticsearch {
hosts => localhost
manage_template => false
index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
}
}

Now if the log timestamp is something like "09-09-2019 10:00:08 - log...." then it is going to be indexed as "filebeat-7.3.1-2019.09.09" but if log datetime is something like "09-09-2019 00:00:08 ...log" or "09-09-2019 02:00:08 ...log" and so then it is going to be indexed like "filebeat-7.3.1-2019.09.08".

Badger · September 18, 2019, 12:44pm

elasticsearch timestamps, and the index names created from them, are based on UTC. For most people that means that events from a single day in local time will be split across two indexes.

system · October 16, 2019, 12:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.