Timestamp field with local timezone!

alexwbai · December 10, 2018, 7:54pm

Sorry I know these timezone questions have been beaten to death but I'm really having trouble finding the solution to this problem:

This is what I want to do:

Take existing epoch time integer field (eg. 1544471514) and turn it into a timestamp in my LOCAL timezone.
I would like to use a TIMEZONE (eg. America/New_York), not just hardcode an integer offset (eg. localtime('+01:00') because I need to automatically adhere to daylight savings time changes etc.
This has nothing to do with the default @timestamp field and I know that date {} filter converts to UTC so I am not using that.

I've read I can use a ruby filter to do this but just need a push in the right direction.

Thanks!
AlexW

admlko · December 11, 2018, 10:19am

Yeah, I think you have to use ruby filter in order to accomplish what you want.

If I have understood correctly, you need to use 'tzinfo' rubygem in order to handle timezones the way you want to.

So, here's something to push you in the right direction.

  ruby {
    init => "['date', 'tzinfo'].each(&method(:require))"
    code => "
      tz = TZInfo::Timezone.get('Europe/Helsinki')
      local = tz.utc_to_local(Time.at(event.get('epoch_time_integer_field')))
      event.set('localtime', local.to_s)
      event.set('timezone', tz.to_s)
    "
  }

This is completely untested and my ruby skills are close to zero, but it should be enough to give you an idea how to achive your goal. I also have no idea in which format you would like to save the local time etc etc.

Please note, that you need to deliver tzinfo gem to Logstash by yourself.

alexwbai · December 14, 2018, 8:54pm

Awesome thanks so much admlko. I'm going to try to test out this code; it's amazing to me this is such a process.

Any tips on installing the tzinfo gem?

Thanks

alexwbai · December 17, 2018, 6:04pm

This did the trick. (I dissected the new date time at the end).

filter {
date {
match => ["epochts", "UNIX"]
target => "timetarget"
}

ruby {
init => "['date', 'tzinfo'].each(&method(:require))"
code => "
tz = TZInfo::Timezone.get('US/Eastern')
local = tz.utc_to_local(Time.at(event.get('epochts')))
event.set('localtime', local.to_s)
event.set('timezone', tz.to_s)
"
}

dissect {
mapping => {
"localtime" => "%{year}-%{month}-%{day} %{hour}:%{minute}:%{second} UTC"
}
}

}

system · January 14, 2019, 6:04pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.