Timestamped events not going to correct index up until 08:59:59.999 JST

popa · December 12, 2018, 2:33am

As the title implies, my timestamped events are being added to the wrong index everyday up until 08:59:59.999 JST.

Before 09:00:00 JST

 @timestamp     November 20th 2018, 08:59:59.835
 _index	      	     winlogbeat-6.4.0-2018.11.19

After 09:00:00 JST

 @timestamp     November 20th 2018, 09:00:58.491
 _index	      	     winlogbeat-6.4.0-2018.11.20

I can understand why this is happening, because my geographic location (Japan) is +9 hours ahead of UTC.

I'm wondering if this is normal behavior or not? If not, I'm wondering if it's possible to fix this by reindexing or is there some other more efficient method to solve this issue?

Shaoranlaos · December 12, 2018, 6:22am

This is completly normal behaviour, all timestamps are saved as UTC in the Elastic Stack.
All datasources (Filebeat with modules, other beats or Logstash date filter) convert there local timestamp (timezone) to UTC in the resulting event.

popa · December 12, 2018, 6:24am

Thanks! I was going through and looking for any issues while learning the stack and noticed this. Glad to know that it's normal behavior.

system · January 9, 2019, 6:24am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Wrong timestamp (NOT timezone issue) with System module Beats filebeat	4	550	February 10, 2020
Event.created is always 8 hours later then @timestamp Beats filebeat	4	498	May 20, 2021
Wrong timestamp from Windows filebeat Logstash	3	781	February 22, 2018
Timestamp timezone Beats filebeat , auditbeat	10	3030	March 25, 2022
Logs time 6 hours behind local time Metrics	32	4418	April 27, 2019

Timestamped events not going to correct index up until 08:59:59.999 JST

Related topics