Timestamp field with local timezone!

Elastic Stack Logstash
1

Sorry I know these timezone questions have been beaten to death but I'm really having trouble finding the solution to this problem:

This is what I want to do:

  1. Take existing epoch time integer field (eg. 1544471514) and turn it into a timestamp in my LOCAL timezone.
  2. I would like to use a TIMEZONE (eg. America/New_York), not just hardcode an integer offset (eg. localtime('+01:00') because I need to automatically adhere to daylight savings time changes etc.
  3. This has nothing to do with the default @timestamp field and I know that date {} filter converts to UTC so I am not using that.

I've read I can use a ruby filter to do this but just need a push in the right direction.

Thanks!
AlexW

2

Yeah, I think you have to use ruby filter in order to accomplish what you want.

If I have understood correctly, you need to use 'tzinfo' rubygem in order to handle timezones the way you want to.

So, here's something to push you in the right direction.

  ruby {
    init => "['date', 'tzinfo'].each(&method(:require))"
    code => "
      tz = TZInfo::Timezone.get('Europe/Helsinki')
      local = tz.utc_to_local(Time.at(event.get('epoch_time_integer_field')))
      event.set('localtime', local.to_s)
      event.set('timezone', tz.to_s)
    "
  }

This is completely untested and my ruby skills are close to zero, but it should be enough to give you an idea how to achive your goal. I also have no idea in which format you would like to save the local time etc etc.

Please note, that you need to deliver tzinfo gem to Logstash by yourself.

3

Awesome thanks so much admlko. I'm going to try to test out this code; it's amazing to me this is such a process.

Any tips on installing the tzinfo gem?

Thanks

4

This did the trick. (I dissected the new date time at the end).

filter {
date {
match => ["epochts", "UNIX"]
target => "timetarget"
}

ruby {
init => "['date', 'tzinfo'].each(&method(:require))"
code => "
tz = TZInfo::Timezone.get('US/Eastern')
local = tz.utc_to_local(Time.at(event.get('epochts')))
event.set('localtime', local.to_s)
event.set('timezone', tz.to_s)
"
}

dissect {
mapping => {
"localtime" => "%{year}-%{month}-%{day} %{hour}:%{minute}:%{second} UTC"
}
}

}

1 Like
5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.