Hi,
Hi Im trying to understand how Elasticsearch/Kibana interprets time fields that doesn't come with a timezone in the raw message. In my case described below, I'm getting incorrect times in kibana.
I have two log sources- logA and logB. LogA has time of the epoch_millis format. Example: 458577540220. In logstash I store it to the field named logdate. I did not change @timestamp, no additional time filtering other than parsing milis field from the logline.
My second log source, LogB, saves the same event with more detail but the date format is in human-readable format: yyyy-MM-dd HH:mm:ss.SSS. There is no timezone in the string. In logstash, I basically just parsed the time string and did not do any additional filtering. The human-readable date in logB and the millis date in logs A are basically the same.
Example:
LogA: 1458577540220 (Mar 21 2016 12:25:40 Eastern. The source server is in Eastern) . This is saved in Elasticsearch as date in epoch_millis format
LogB: 2016-03-21 12:25:40.219. This is saved in Elastic as field of format "yyyy-MM-dd HH:mm:ss.SSS". The data source is in Eastern time zone.
Kibana interprets the date from log A correctly based on browser timezome (Eastern)..
However, the logB data was incorrectly shown as 4 hours earlier causing incorrect correlation in my graphs..
I understand Elasticsearch stores dates in UTC. So it seems somewhere along the way, the logB time was incorrectly converted between UTC and Eastern (4 hours difference).
Any ideas where to correct it?
Thanks,
Crom