Hello,
I recently upgraded my installation to Elasticsearch 6.1.1 and noticed a slight issue with the indexed data in Kibana.
If I choose the 'last 15 min' filter I am not able to see the data. However if I choose 'Today', I see the indexed events one hour later.
I think that the problem comes from the timestamp found in the elasticsearch log files.
The date is in ISO8601 format but not in UTC. The line is then read by filebeat (with the elasticsearch module enabled) and sent to Elasticsearch.
It goes through the ingest pipeline. The pipeline just parse the message field and use a date processor:
{
"date" : {
"formats" : [
"ISO8601"
],
"ignore_failure" : true,
"field" : "elasticsearch.server.timestamp",
"target_field" : "@timestamp"
}
},
but the processor probably assumes that the timestamp is already in UTC. It explains why I get a shift of one hour.
I tried to change (with success) the log4j2.properties by adding {UTC} in the pattern of each rollingfile appender: %d{ISO8601}{UTC}
but I suppose that it is not the good approach.
I could also modify the existing pipeline by adding a timezone parameter...
@Pascal72 would you be able to provide some log samples?
Do I understand correctly, you ingest logs from one ES instance into second ES instance and then visualise these on Kibana connected to second ES instance?
@Pascal72 you could also try to configure your filebeat module with var.convert_timezone and that would mean that filebeat would parse the date with system time zone as well.
Here is a sample.
In my log file:
[2019-03-11T16:29:18,502][INFO ][o.e.c.m.MetaDataDeleteIndexService] [xxxxxx] [project.346bdccd-d612-11e8-a907-00505693238b.2019.03.09/dQd_YJXXSqu5NRcj3EDTLA] deleting index
16:29:24 is the local time (luxembourg)
From my understanding, it should index to 15:29:24 and in Kibana, through the browser interface, it should display 16:29:24 and not 17:29:24
yes I also tried to play with the var.convert_timezone option but I don't see any changes.
Apparently, this option triggers the add_locale processor:
{{ if .convert_timezone }}
processors:
add_locale: ~
{{ end }}
and if I check the documentation, I see: The add_locale processor enriches each event with the machine’s time zone offset from UTC or with the name of the time zone. It supports one configuration option named format that controls whether an offset or time zone abbreviation is added to the event. The default format is offset. The processor adds the a beat.timezone value to each event.
it enriches the event but it doesn't transform the timestamp in UTC.
What version of Filebeat are you running? In the original post you said 6.1.1 but from looking at the sample output in a later post it looks like 6.6.1. I'm guessing it's 6.6.1 but do you mind confirming that?
Could you make the following Elasticsearch API call and post the output here please?
GET _ingest/pipeline/filebeat-*elasticsearch*server*
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
