Why do I need to set times in UTC in the query bar?

jcaballero · August 7, 2019, 3:56pm

Using Kibana 5.4.1

Here are the facts:

The data I am parsing with LogStash includes some timestamps I need to convert to a new field "my_datefield".
Those timestamps are in local time in the logs files.

I convert them to UTC before putting them in ElasticSearch, using the LogStash filter plugin Date:

date {
    match => ["my_datefield", "MM/dd/yy HH:mm:ss.SSS", "MM/dd/yy HH:mm:ss", "MM/dd/yy HH:mm:ss.1000"]
    target => "my_datefield"
}

That works, and "my_datefield" is stored in ElasticSearch in UTC.
When I visualize the data in Kibana, they are converted properly back to local time, so I see the original values, not the UTC ones. Perfect.
Problem is when I want to do a filter, like this
```
my_datefield:["2019-08-07T10:00:00" TO "*"]
```
Apparently I need to specify the dates in UTC, instead of local times. Which is very confusing as the data is already visualized in local time.

Is this unavoidable? Or is it just a matter of adjusting some Kibana configuration parameter?

Thanks a lot in advance.
Jose

jcaballero · August 7, 2019, 7:52pm

Hmm... Is just a matter of adding "time_zone":"America/New_York" to the dictionary query:queryString:options in "advanced settings"?

lukas · August 13, 2019, 11:31pm

That should do the trick. Did it work for you?

jcaballero · August 13, 2019, 11:56pm

Yes, it did

system · September 10, 2019, 11:56pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.