Why my @timestamp shows wrong hour when overwritten?

echo "Nov 25 11:12:15 test message goes here" | /usr/share/logstash/bin/logstash -e 'input { stdin {} } 
filter { 
grok {
	   keep_empty_captures => true
	   match => { "message" =>  
	   "^(?<logTime>%{SYSLOGTIMESTAMP:ts}) .*$" }
	   add_tag => ["parsed_msg"]
	   remove_tag => ["_grokparsefailure"]
     }
  date {
    match => [ "ts",  "MMM  d hh:mm:ss", "MMM dd hh:mm:ss", "ISO8601" ]
    target => "@timestamp" 
	remove_field => ["ts"]
  }
 }' --path.data /tmp/test
 
 ---output -----
 {
       "logTime" => "Nov 25 11:12:15",
      "@version" => "1",
       "message" => "Nov 25 11:12:15 test message goes here",
    "@timestamp" => 2021-11-25T16:12:15.000Z,
          "host" => "myhost",
          "tags" => [
        [0] "parsed_msg"
    ]
}

------ problem/Expectation ------
Actual hour stamp is 11 hour, the @timestamp shows 16 hour; why?
How can we make @timestamp show hour as 11?

The @timestamp field uses UTC and this can't be changed.

The time Nov 25 11:12:15 does not any timezone reference, so if I'm not wrong, the timezone used by the logstash date filter will be the logstash server timezone.

What is the server timezone? What is your timezone? What is the timezone of the date in the log file?

Since your date does not have timezone information, you should pass this information to the date filter using the timezone option.

Hi Leonardo,
Thanks for your quick reply.
Adding timezone => "UTC" to my configuration worked like a charm.
Thank you very much.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.