Logstash output elasticsearch a day index but curent day index contain two days data (curent day and next day_)

Champion_Xie · April 27, 2017, 1:23am

below info is my logstash conf

can i define index name timezone ??

filter {
grok {
match => { "message" => "%{TIMESTAMP_ISO8601:datatime} %{LOGLEVEL:loglevel} - %{IP:client} %{NUMBER:duration} %{WORD:qtype} %{DATA:domain} %{NUMBER:nb1} %{NUMBER:nb2} " }
}
date {
locale => "en"
match => ["datatime","YYYY-MM-dd HH:mm:ss"]
timezone => "Asia/Shanghai"
}
}
output {
elasticsearch {
hosts => ["18.41.15.14:9200","18.41.15.15:9200"]
index => "logstash-%{[fields][logtype]}-%{+YYYY.MM.dd}"

warkolm · April 27, 2017, 1:30am

ES stores data in UTC, so that'd probably explain it.

Champion_Xie · April 27, 2017, 2:27am

how can i do it ? thanks

warkolm · April 27, 2017, 3:17am

Do what?

Champion_Xie · April 27, 2017, 3:19am

define index name datetime format and timezone

eg:
logstash-field-logtype-201704.01(the datetime ' timezone)

warkolm · April 27, 2017, 3:20am

You cannot, ES uses UTC.

system · May 25, 2017, 3:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.