Hello all,
I have had this index going for like at least the last 2 years.. and all of a sudden the timezone seems to not be working correctly. The pipeline has some transforms in it, but nothing touches the @timestamp in the existing logic. It's really as simple as this...
input
{
udp
{
port => 514
codec => plain {charset => "ISO-8859-1"}
}
}
output
{
elasticsearch
{
hosts => ["http://localhost:9200"]
index => "syslog-%{+YYYY.MM.dd}"
document_id => "%{[fingerprint]}"
}
}
In this scenario, I get an @timestamp in UTC... and my Kibana setting is set to "Browser"
However, when I go into Discover, all the data is in the future (I'm in AZ)... so, I figured something had changed in Logstash or Kibana, or maybe Elasticsearch so I added the following filter in my pipeline (which I know is a bad idea).
filter
{
ruby {code => 'event.set("@timestamp", LogStash::Timestamp.new(event.get("@timestamp")-25200))'}
}
Which fixes the problem.. UNTIL the index rolls over.. then it happens again. I'm so confused.. where is the problem? Does it have something to do with the template.. or what?