Time column it's different than @timestamp field in kibana

Fateme_Alizade · April 8, 2024, 9:37am

Hey guys!
I have troubling with time stuff in kibana and logstash
I have a filter pattern for my syslogs which its timestamp it's different than time column in kibana( My logs are shown in kibana 3 hours later )

here is my filter code for my sysligs which I'm collecting them from kubernetes pods

      date {
        match => [ "timestamp", "MMM dd HH:mm:ss" ]
        timezone => "Asia/Tehran"
    }

also I have a grok pattern like this:

syslog {
port => 6570
grok_pattern => "<%{POSINT:priority}>%{SYSLOGTIMESTAMP:timestamp} %{DATA:program}: %{GREEDYDATA:message}"

I have googled a hundred of pages but I couldn't find anything that matches my issue or maybe I missed it
Can anyone help me with this issue?

nickpeihl · April 8, 2024, 3:33pm

Hi Raha. I think you might need to change the default timestamp field in your Data View.

leandrojmp · April 8, 2024, 3:43pm

Please share the original message so it is possible to see how the timestamp field is being parsed.

The event you shared does not show how the timestamp field looks like.

Fateme_Alizade · April 8, 2024, 4:54pm

Issue was about this line

      date {
        **match => [ "timestamp", "MMM dd HH:mm:ss" ]**
        timezone => "Asia/Tehran"
    }

It couldn't match my timestamp with this format
I changed it to:

match => [ "timestamp", "MMM d HH:mm:ss" ]

and it resolved my issue