Set date time transformations from date filter

pkaramol · June 13, 2018, 3:54pm

Here is a (partial) syslog entry (ignore IP validity they have been scrambled):

Jun 15 00:51:19 139.133.7.190 (squid-1): src="172.16.0.51" src_port="49530" dst="122.355.89.1" dst_port="80" local_time="15/Jun/2015:00:51:19 +0300"`

Here is the way I am using date filter

  date {
    # target => "@timestamp"
    match => [ "local_time", "dd/MMM/yyyy:HH:mm:ss +0300" ]
    # local_time="21/Jun/2015:23:45:39 +0300"
    tag_on_failure => ["no_date_match"]
    timezone => "Europe/Athens"
  }

Can anyone explain why my document gets a @timestamp shifted by 3 hours?, i.e. 2015-06-14T21:51:19.000Z

I just want to have in my @timestamp the exact value (without the +0300 part of course) appearing in the local_time field!

Badger · June 13, 2018, 4:07pm

The Elastic stack always stores times as UTC. You have specified a timezone of Europe/Athens, which is three hours ahead of UTC.

If you are using Kibana that will typically adjust things back to the browser's local timezone.

pkaramol · June 13, 2018, 4:14pm

Removing the

    timezone => "Europe/Athens"

makes the document having correct @timestamp (which can be viewed via its json representation) but now kibana is the misleading one (3 hours ahead)

Badger · June 13, 2018, 4:18pm

The Elastic stack stores times as UTC, regardless of which time zone you are in. If your logs have timestamps that are in Europe/Athens you should expect them to be three hours behind in elasticsearch.

Topic		Replies	Views
Logstash date filter performs a timeshift of 3 hours Logstash	2	797	July 11, 2018
Timestamp not match Logstash	2	518	November 8, 2019
@timestamp converts timezones when it shouldn't - Weird issue Logstash	12	4639	July 6, 2017
Elasticsearch / logstash Log time shift Logstash	7	274	June 7, 2023
How to change time zone from Zulu Elasticsearch	5	2527	July 6, 2017

Set date time transformations from date filter

Related topics