I am creating dated indices using logstash but there is a problem with the dates when ingesting records from Bro. I get dates from different years and different dates. I'm not sure why this is happening, when I look in the log files the dates all appear to be correct. My filter to create the dates is:
index => "XXXXX-bro-%{+YYYY.MM.dd}"
I'm not sure why this is happening. It only happens when iindexing my Bro traffic.
Suggestions? Right now I am deleting wring dated indices daily. If I don't delete them I run into index mapping problems with Kibana.
Thanks
Before you delete the wrong indices, you should do some quick searches on them to see what they contain. Logstash can only create indices based on the timestamp assigned to an event, so you should see what "dates" are in these indices and then you'll have more information to go on.
So the issue seems to be I was having my timestamp translated to ISO8601 and that was causing the strange dates. I changed the translate in my logstash to ts = UNIX and the dates have been solid ever since. So I am good to go until 2038 when UNIX time breaks. Good thing I'll have another job by then 
Thanks for the help