Logstash output plugin index time zone problems

maghibus · November 22, 2018, 4:37pm

Hi,

Take for example a log file with the following content:

2018-11-15 00:58:15,417 INFO  [org.alfresco.solr.component.AsyncBuildSuggestComponent] Building suggester index for: shingleBasedSuggestions
2018-11-15 01:58:15,417 INFO  [org.alfresco.solr.component.AsyncBuildSuggestComponent] Building suggester index for: shingleBasedSuggestions

My time zone is Europe/Rome (CET) and this is my Logstash configuration:

filter plugin:

 filter {
   grok {
     match => { "message" => "\A%{TIMESTAMP_ISO8601:timestamp} %{LOGLEVEL:severity}%{SPACE}*%{SYSLOG5424SD}" }
   }
   if "_grokparsefailure" in [tags] { drop {} }
   date { 
     match => ["timestamp", "yyyy-MM-dd HH:mm:ss,SSS"] remove_field => ["timestamp"] }
   }
}

output plugin:

elasticsearch {
   hosts => ["localhost"]
   manage_template => false
   index => "solr-%{+YYYY.MM.dd}"
}

Logstash creates two indecis:

solr-2018.11.14

2018-11-15 00:58:15,417 INFO [org.alfresco.solr.component.AsyncBuildSuggestComponent] Building suggester index for: shingleBasedSuggestions

solr-2018.11.15

2018-11-15 01:58:15,417 INFO [org.alfresco.solr.component.AsyncBuildSuggestComponent] Building suggester index for: shingleBasedSuggestions

How can I avoid that scenario?
What is the best scenario?

Thaks

system · December 20, 2018, 4:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.