Timestamp and @timestamp not properly mapping

Elastic Stack Logstash
1

I am sure that this has been asked a number of times and from my review of the previous posts nothing seems to be helping me solve my problem.

My JSON has separate date and time fields.

I'm creating an 'eventTime' field in order to combine the date and time into a single reference.
mutate {
add_field => {"eventTime" => "%{Date} %{Time}"}

I'm then matching the eventTime to the correct format and assigning it to the @timestamp field.

    date {
		  match => ["eventTime", "yyyy-mm-dd HH:mm:ss"]
		  #match => ["Time", "MM/dd/yyyy HH:mm:ss"]
		  timezone => "America/Chicago"
		  target => "@timestamp"
         }

I am beyond my _dateparsefailure issues but the eventTime is not matching that of @zikakou1er

"eventTime" => "2017-05-09 00:05:08",

"@timestamp" => 2017-01-09T06:05:08.000Z,

"Time" => "00:05:08",

"Date" => "2017-05-09",

I am sure it is something easy that I am just missing but can't seem to get passed my mental block.

Any suggestions would be appreciated.

Thanks in advance.

2

i just read you are beyond _dateparsefailure.

It's changing your local time to match UTC by +6 - http://joda-time.sourceforge.net/timezones.html

if you want to send output as it is then you may need to use timezone => "Etc/UTC"

hope this helps.

3

you can check this link as well for any hints:

4
  • The six-hour difference is because @timestamp is UTC and your input timestamp isn't.
  • The wrong month problem looks exactly like you had used DD in your date pattern instead of dd, but according to what you posted you used dd. Start by correcting your use of mm for the month number so that you use MM instead. With that fix you should be fine.
3 Likes
5

Thank you so much.

That resolved the issue and I appreciate your time to respond.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.