Timestamp copy problem with Timezone

Kubix0 · July 29, 2021, 1:36pm

Hey there, my first topic here.
Wanted to ask some help because I can´t find a answer/solution for my problem.

So, I have a Logstash filter that copy the @timestamp filed to make Timestamp more friendly for elastalert.

My logstash filter:
Input into logstash: @timestamp: 2021-07-29T12:00:00.000Z

filter {
  grok {
    match => { "@timestamp" => "%{GREEDYDATA:logDATE}T%{NOTSPACE:logTIME}\.%{NOTSPACE}" }
  mutate
  {
    add_field => { "elasticalert_timestamp" => "%{logDATE} %{logTIME}" } }
  mutate
  {
    remove_field => [ "logDATE", "logTIME" ] }
  }
  }

Output of elasticalert_timestamp: 2021-07-29 12 :00:00
Kibana view of @timestamp: 2021-07-29T13:00:00.000Z

Today, I noticed that @timestamp and elasticalert_timestamp are 1h behind.

So in Kibana Index View I have it at 13:00 but on @timestamp json view is 12:00.. and I wanted to have the right time in elasticalert_timestamp (that is 13:00).

grumo35 · July 29, 2021, 3:22pm

Hi,

you have to take in consideration that the timestamp you see on kibana are directly adapted for your point of view through your kibana settings of the timezone.

Logstash and elasticsearch stores time data as UTC.

That's probably why you're seeing 1h behind

Kubix0 · July 29, 2021, 3:31pm

Hi,
Yes, I know that Kibana have the "event.timezone": [ "+01:00"]
The question is, how I add +1 so that my field elasticalert_timestamp get the same kibana time using the logstash.

Yes I could use grok in the event.timezone field to get the "1" and use math plugin to add it to elasticalert_timestamp but wanted to avoid to not spend more resources with this.

system · September 1, 2021, 8:39am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.