Please clarify what timestamp you are talking about and where you are seeing it.
@timestamp as sent by Filebeat is always in UTC (as indicated by Z).
Kibana renders all date type fields using the browser's timezone. The @timestamp field is of date type.
If you are parsing timestamps out of log lines and the timestamp doesn't specify a timezone then you can use the add_locale to instruct Filebeat to add the machine's timezone to outgoing events. Then on the parsing machine (Logstash or Ingest Node) you can pass this timezone to the date filter so that it interprets the timestamp properly.
We want to change the timezone in the JSON lines. Now is always in UTC (as indicated by Z) but...
How we can send a log line (like the line below) and set the timezone to GMT+1,? We must change the Z?
It is not possible to modify the format or timezone used in the @timestamp field for Beats. It's not a practice we encourage. Why do you want to change the timezone of @timestamp?
We can change the log PREVIOUSLY of being parsed in filebeat.
Out original logs are not in JSON and we've a script that converts it to JSON, is not a problem for us change all the JSON lines
My question is... when filebeat understand that @timestamp is GMT+1? What changes we must made in the JSON line to set the timezone to GMT+1 (or other)
I think I'm starting to understand your issue. Could you please share your Filebeat config so I can confirm I understand your setup.
When parsing JSON with Filebeat that contains @timestamp I believe Filebeat will parse the @timestamp value as RFC3339. I don't see this in the docs, but maybe I missed it (we should add it).
So instead of 2018-01-21T23:50:18.000Z+0100, try 2018-01-21T23:50:18+01:00 in your logs.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
