Recalculate times?

Tuckson · May 11, 2021, 10:48am

Hi,

Due to a number of reasons we have servers logging with UTC en servers logging with timestamps in CEST. In kibana/es I would like to see everything in CESt to easily connect the dots with events in clientdevices. Is there any way in which I can convert a timestamp in logstash from utc to CESt (with regard of summer/winter time)?

At this moment the top of my concerning filter looks like this:

mutate {
       strip => ["message"]
}
                    
dissect {
    mapping => {
          "message" => "ts: %{ts} %{+ts} | logLevel: %{log-level} | appId: %{app-id} | %{} | SID: %{session-id} | TN: %{transaction-id} | clientIp: %{client-ip} | userId: %{user-id} | apiType: %{} | api: %{api} | platform: %{platform} | %{additional-data}"
    }
}

mutate {
     strip => ["ts", "log-level", "app-id", "session-id", "transaction-id", "client-ip", "user-id", "api", "platform", "additional-data"]
}

Thnx in advance.

Tuckson · May 11, 2021, 12:31pm

This does the simple trick

date {
    match => ["ts", "yyyy-MM-dd HH:mm:ss,SSS"]
    timezone => "UTC"
    target => "@timestamp"
    remove_field => [ "ts" ]
}

Badger · May 11, 2021, 4:03pm

elasticsearch and logstash always store timestamps as UTC. You can lie to them about what timezone your timestamps are in to force them to store timestamps in a different timezone. kibana will, by default, transform timestamps into the local timezone, respecting DST. If you want kibana to present timestamps in a different timezone then that is configurable.

system · June 8, 2021, 4:03pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.