I have searched for an answer to this, but I'm still not clear.
I have some logs that contain a timestamp, but no timezone. I understand that I can specify a timezone using filter.date.timezone in the Logstash pipeline configuration. The following link recommends using one of the Canonical IDs listed on the Joda Time page.
What I'm not clear on is the following: If my server is in the US Eastern Timezone, it will change from EST to EDT and back twice a year. I don't want to specify "EST" as my timezone in my config, as it will presumably be incorrect for about half the year (during Daylight Savings Time, when the correct timezone is EDT).
Is there a timezone I can specify in the Logstash config that will be interpreted correctly by Logstash regardless of whether Daylight Savings Time is or is not active? (For example, if the log has a timestamp of 1 January 2017 it will be interpreted as EST, since Daylight Savings is not active, but if the log has a timestamp of 1 July 2017 it will be interpreted as EDT, since Daylight Savings is active.)
I see there is a "EST5EDT" timezone. Is this what I need to use?
If I don't specify timezone in the Logstash config, it will presumably use the system timezone, right?
But will this work if I'm processing logs from 6 months ago that were created when Daylight Savings Time was the opposite of what it currently is based on the system clock? (For example, if it's currently 1 July 2017 according to the system clock -- EDT -- and I'm processing logs from 1 Jan 2017 -- EST -- what timezone will be used by Logstash?)
In Logstash if a datetime string has no TZ part it is assumed to be a UTC time.
If you know that the datetime is a local time string then you need to tell the date filter which timezone the date was generated in. You may use one of the Joda timezones, e.g. America/New_York, America/Detroit or EST5EDT <- these are merely labels that point to Timezone Java code that know what changes in clocks occurred in all timezones for quite some time into the past. See this page for info on how the updates are followed. http://www.oracle.com/technetwork/java/javase/tzdata-versions-138805.html
Once the datetime string is converted to a Timestamp object (by the date filter) it is considered UTC time.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.