Time converted to EST, when Unixtime is already EST

The date passed from logstash is 4 hours before the time the event occurs.

I am receiving time as UNIX_MS, but this is in EST. Therefore, the match will convert it to EST (taking off 4 hours) which it doesn't need to do, since it started in EST.

How can I let logstash know the time is already EST?

match => ["date", "UNIX_MS"]
timezone => "America/New_York"
target => "@timestamp".

Epoch timestamps are by definition UTC so it's very odd if the data you're getting really is "seconds since 1970-01-01 00:00:00 EST". You can use a ruby filter to perform the conversion though.

The data is not seconds after 1970. The data is 4 hours earlier than expected. ... The device where I gather the data is returning an epochtime that is based on the current timezone that I am in. It is not giving me the UTC that I expect. How can I change this after the timestamp is brought in? (I can't just add 4 hours, since when Daylight Savings ends, it would be 5 hours.)

If you perform the conversion and pretend that the epoch is UTC, can't you inspect the resulting date to figure out whether DST applies and based on that add 4 or 5 hours?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.