The date passed from logstash is 4 hours before the time the event occurs.
I am receiving time as UNIX_MS, but this is in EST. Therefore, the match will convert it to EST (taking off 4 hours) which it doesn't need to do, since it started in EST.
How can I let logstash know the time is already EST?
match => ["date", "UNIX_MS"]
timezone => "America/New_York"
target => "@timestamp".
Epoch timestamps are by definition UTC so it's very odd if the data you're getting really is "seconds since 1970-01-01 00:00:00 EST". You can use a ruby filter to perform the conversion though.
The data is not seconds after 1970. The data is 4 hours earlier than expected. ... The device where I gather the data is returning an epochtime that is based on the current timezone that I am in. It is not giving me the UTC that I expect. How can I change this after the timestamp is brought in? (I can't just add 4 hours, since when Daylight Savings ends, it would be 5 hours.)
If you perform the conversion and pretend that the epoch is UTC, can't you inspect the resulting date to figure out whether DST applies and based on that add 4 or 5 hours?
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.