Timezone issue with logstash date filter plugin

Gauti · May 30, 2020, 5:15pm

Hi All,

We are ingesting data into elasticsearch using logstash, our problem here is with the timezone issue. We are having a total of 8 date fields in the documents
for example we are ingesting servicenow data, which will have the fields like createdDate, updatedDate, closedDate, resolvedDate, we have written a mapping for date conversion in kibana which is working fine.

But the problem is the timezone, by default elasticsearch is storing in UTC and my source time zone is in "America/New_York" the data which is shown in kibana and my source has a difference of 4 hours(basically kibana time is 4 hours ahead of my source data)

with this difference i cant build a trendline which will be of no use it its not proper.

Any advice on this

Thanks
Gautham

Badger · May 30, 2020, 5:50pm

elasticsearch always stores times as UTC. By default kibana will display times in the browser's timezone. You can use the timezone option on a date filter to tell the filter which timezone the logs are in, so that it can set the date in the event to UTC.

Do you have a problem with any of those?

Gauti · May 30, 2020, 6:06pm

@Badger The date filter in logstash is not working...

Below is my time filter

filter {
  date { match => ["[result][sys_created_on]", "MM-dd-yyyy HH:mm:ss"]
          timezone => [ "America/New_York" ] }

Thanks
Gautham

Badger · May 30, 2020, 7:12pm

If you want [result][sys_created_on] modified then set the target option on the date filter. By default the filter overwrites @timestamp

system · June 27, 2020, 7:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.