I have a source text in string like this:
09/15/2017 14:50:09.866800
Let's call this field action_end_raw. I use a date filter to parse it to a date time:
date {
match => ["action_end_raw", "MM/dd/yyyy HH:mm:ss.SSSSSS"]
target => "action_end"
remove_field => ["action_end_raw"]
}
However, when I check the action_end field in the final log, it looks something like this:
2017-09-15T05:50:09.866Z
and the timestamp looks like:
2017-09-15T06:50:14.047Z
I would have expected timestamp and action_end to be very close together. Now as far as I know, logstash converts them based on timezones. My server is in UTC+8 (Ulaanbataar), The client that sent the log is in UTC+8 (Hong Kong) and the machine I use to view is in UTC+8 (Hong Kong). Ulaanbataar's next adjustment should be after 2020, according to my research. I was curious, what could have happened? It was working properly before. Thanks in advance.